Novell

www.novell.
com/documentation
Installation Guide
eDirectory 8.8 SP7
TM
April 27, 2012
Legal Notices
Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc., reservestherighttorevisethispublicationandtomakechangestoitscontent,atanytime,withoutobligationtonotifyany personorentityofsuchrevisionsorchanges. Further,Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,reservestheright tomakechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof suchchanges. AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade lawsofothercountries.Youagreetocomplywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor classificationtoexport,reexportorimportdeliverables.YouagreenottoexportorreexporttoentitiesonthecurrentU.S. exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.exportlaws.Youagreetonotuse deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.SeetheNovellInternationalTrade ServicesWebpage(http://www.novell.com/info/exports/)formoreinformationonexportingNovellsoftware.Novellassumes noresponsibilityforyourfailuretoobtainanynecessaryexportapprovals. Copyright20092012Novell,Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedon aretrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher. Novell, Inc. 1800 South Novell Place Provo, UT 84606 U.S.A. www.novell.com OnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovell DocumentationWebpage(http://www.novell.com/documentation).
Novell Trademarks
ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/ tmlist.html).
Third-Party Materials
Allthirdpartytrademarksarethepropertyoftheirrespectiveowners.
Contents
About This Book 1 Installing or Upgrading Novell eDirectory on Linux
1.1 1.2 1.3 1.4 1.5
7 9
1.6
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.2 Upgrading on Linux Servers Other Than OES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.3 Unattended Upgrade of eDirectory on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.5.4 Upgrading eDirectory on Existing OES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1.5.5 Upgrading eDirectory During OES 1.0 to OES 2.0 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . 16 1.5.6 Upgrading the Tarball Deployment of eDirectory 8.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1.5.7 Upgrading Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1.5.8 Disk Space Check on Upgrading to eDirectory 8.8 SP7 . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.6.1 Using SLP with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.6.2 Using the nds-install Utility to Install eDirectory Components . . . . . . . . . . . . . . . . . . . . . . . 20 1.6.3 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 1.6.4 Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server . . . . . . . . . . . 26 1.6.5 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . 31 1.6.6 Using ndsconfig to Install a Linux Server into a Tree with Dotted Name Containers. . . . . . 36 1.6.7 Using the nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 1.6.8 Nonroot user SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2 Installing or Upgrading Novell eDirectory on Solaris

2.1 2.2 2.3 2.4 2.5
39
2.6
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.5.1 Upgrading Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.5.2 Upgrading the Tarball Deployment of eDirectory 8.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.6.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.6.2 Using SLP with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.6.3 Using the nds-install Utility to Install eDirectory Components . . . . . . . . . . . . . . . . . . . . . . . 45 2.6.4 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.6.5 Installing eDirectory 8.8 on Solaris 10 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.6.6 Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server . . . . . . . . . . . 51 2.6.7 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . 53 2.6.8 Using ndsconfig to Install a Solaris Server into a Tree with Dotted Name Containers . . . . 53 2.6.9 Using the nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 2.6.10 Nonroot user SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3 Installing or Upgrading Novell eDirectory on AIX

3.1
57
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Contents
3.2 3.3 3.4 3.5
3.6
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.5.1 Upgrading Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.5.2 Upgrading the Tarball Deployment of eDirectory 8.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.6.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.6.2 Using SLP with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.6.3 Using the nds-install Utility to Install eDirectory Components . . . . . . . . . . . . . . . . . . . . . . . 62 3.6.4 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.6.5 Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server . . . . . . . . . . . 67 3.6.6 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . 69 3.6.7 Using ndsconfig to Install an AIX Server into a Tree with Dotted Name Containers . . . . . . 69 3.6.8 Using the nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.6.9 Nonroot user SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4 Installing or Upgrading Novell eDirectory on Windows

4.1 4.2 4.3 4.4 4.5 4.6
71
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Disk Space Check on Upgrading to eDirectory SP7 or later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Installing Novell eDirectory on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.6.1 Installing or Updating Novell eDirectory 8.8 on a Windows Server . . . . . . . . . . . . . . . . . . . 75 4.6.2 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 4.6.3 Communicating with eDirectory through LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 4.6.4 Installing NMAS Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.6.5 Installing NMAS Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.6.6 Installing into a Tree with Dotted Name Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.6.7 Unattended Install and Configure to eDirectory 8.8 SP7 on Windows . . . . . . . . . . . . . . . . 82
5 Relocating the DIB

5.1 5.2
93
Linux and UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6 Upgrade Requirements of eDirectory 8.8

6.1 6.2 6.3
95
Reference Changes in 8.8 SP1 or later versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Upgrade Process in 8.8 SP7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Performing a Dry Run before Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 6.3.1 Common Problems Encountered during the Upgrade Process . . . . . . . . . . . . . . . . . . . . . . 98
7 Configuring Novell eDirectory on Linux, Solaris, or AIX Systems

7.1
101
7.2 7.3
Configuration Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 7.1.1 The ndsconfig Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 7.1.2 Using LDAP Tools to Configure the LDAP Server and LDAP Group Objects . . . . . . . . . . 102 7.1.3 Using the nmasinst Utility to Configure Novell Modular Authentication Service . . . . . . . . 102 7.1.4 Using ndsd init Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Novell eDirectory 8.8 SP7 Installation Guide
8 Migrating to eDirectory 8.8 SP7

8.1 8.2
109
Migrating to eDirectory 8.8 SP7 While Upgrading the Operating System . . . . . . . . . . . . . . . . . . . . 109 Migrating to eDirectory 8.8 SP7 Without Upgrading the Operating System. . . . . . . . . . . . . . . . . . . 110
9 Migrating eDirectory from NetWare to OES 2 Linux

9.1
113
9.2 9.3 9.4
Planning Your Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 9.1.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 9.1.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 9.1.3 Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 9.1.4 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Migration Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Migration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 After the Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
10 Deploying eDirectory on High Availability Clusters

10.1
117
10.2
10.3
10.4
Clustering eDirectory Services on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 10.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 10.1.2 Installing and Configuring eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 10.1.3 Configuring SNMP Server in Clustered Linux Environments. . . . . . . . . . . . . . . . . . . . . . . 120 Clustering eDirectory Services on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 10.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 10.2.2 Installing and Configuring eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 10.2.3 Configuring SNMP Server in Clustered Windows Environments. . . . . . . . . . . . . . . . . . . . 122 Troubleshooting Clustered Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 10.3.1 Repairing or Upgrading eDirectory on Clustered Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . 123 10.3.2 Creating Windows Registry Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Configuration Utility Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
11 Uninstalling Novell eDirectory

11.1
125
11.2 11.3 11.4
Uninstalling eDirectory on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 11.1.1 Uninstalling eDirectory, ConsoleOne, and SLP DA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 11.1.2 Unattended Uninstallation of eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 11.1.3 Uninstalling NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 11.1.4 Uninstalling Microsoft Visual C++ 2005 Runtime Libraries . . . . . . . . . . . . . . . . . . . . . . . . 129 Uninstalling eDirectory on Linux, Solaris, or AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Unattended Uninstallation of eDirectory on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Caveats for Uninstalling eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
12 Auditing eDirectory Events

12.1
133
12.2
Auditing with Novell Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 12.1.1 Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 12.1.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 12.1.3 Installing Novell Audit Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 12.1.4 Installing the Novell Audit iManager Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 12.1.5 Understanding eDirectory Event Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 12.1.6 Understanding eDirectory Event Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 12.1.7 Understanding eDirectory Auditing Event Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 12.1.8 Configuring the Novell Audit Platform Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 12.1.9 Configuring Novell Audit for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 12.1.10 Loading the Audit Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 12.1.11 Monitoring eDirectory Events with Sentinel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 12.1.12 Uninstalling the Novell Audit Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Auditing with XDASv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Contents
A Linux, Solaris, and AIX Packages for Novell eDirectory B eDirectory Health Checks
B.1 B.2
147 151
B.3
B.4
B.5
Need for Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Performing Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 B.2.1 With the Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 B.2.2 As a Standalone Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Types of Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 B.3.1 Basic Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 B.3.2 Partitions and Replica Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Categorization of Health. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 B.4.1 Normal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 B.4.2 Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 B.4.3 Critical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
C Configuring OpenSLP for eDirectory

C.1 C.2
157
C.3
Service Location Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 SLP Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 C.2.1 Novell Service Location Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 C.2.2 User Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 C.2.3 Service Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
About This Book

ThisInstallationGuidedescribeshowtoinstallNovelleDirectory8.8.Itisintendedfornetwork administrators,andcontainsthefollowingsections: Chapter 1,InstallingorUpgradingNovelleDirectoryonLinux,onpage 9 Chapter 2,InstallingorUpgradingNovelleDirectoryonSolaris,onpage 39 Chapter 3,InstallingorUpgradingNovelleDirectoryonAIX,onpage 57 Chapter 4,InstallingorUpgradingNovelleDirectoryonWindows,onpage 71 Chapter 5,RelocatingtheDIB,onpage 93 Chapter 6,UpgradeRequirementsofeDirectory8.8,onpage 95 Chapter 7,ConfiguringNovelleDirectoryonLinux,Solaris,orAIXSystems,onpage 101 Chapter 8,MigratingtoeDirectory8.8SP7,onpage 109 Chapter 9,MigratingeDirectoryfromNetWaretoOES2Linux,onpage 113 Chapter 10,DeployingeDirectoryonHighAvailabilityClusters,onpage 117 Chapter 11,UninstallingNovelleDirectory,onpage 125 Chapter 12,AuditingeDirectoryEvents,onpage 133 Appendix A,Linux,Solaris,andAIXPackagesforNovelleDirectory,onpage 147 Appendix B,eDirectoryHealthChecks,onpage 151 Appendix C,ConfiguringOpenSLPforeDirectory,onpage 157
Audience
Theguideisintendedfornetworkadministrators.
Feedback
Wewanttohearyourcommentsandsuggestionsaboutthismanualandtheotherdocumentation includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe onlinedocumentationandenteryourcommentsthere.
Documentation Updates
ForthemostrecentversionoftheNovelleDirectory8.8SP7InstallationGuide,seetheNovell eDirectoryonlinedocumentation(http://www.novell.com/documentation/edir88/index.html)Web site.
Additional Documentation
FordocumentationonmanagingandadministeringeDirectory,seetheNovelleDirectory8.8SP7 AdministrationGuide(http://www.novell.com/documentation/edir88/edir88/data/a2iii88.html).
About This Book
Installing or Upgrading Novell eDirectory on Linux
UsethefollowinginformationtoinstallorupgradeNovelleDirectory8.8onaLinuxserver: Section 1.1,SystemRequirements,onpage 9 Section 1.2,Prerequisites,onpage 11 Section 1.3,HardwareRequirements,onpage 13 Section 1.4,ForcingtheBacklinkProcesstoRun,onpage 13 Section 1.5,UpgradingeDirectory,onpage 13 Section 1.6,InstallingeDirectory,onpage 19
1.1
System Requirements
YoumustinstalleDirectoryononeofthefollowingplatforms. Fora32biteDirectoryinstallation: 32bit(x86_32) SUSELinuxEnterpriseServer(SLES)11SP1andlaterSupportPacks SLES10SP4andlaterSupportPacks NOTE:YoumightgetawarningmessagewhileinstallingeDirectory8.8SP7onSLES10 SP3.Ignorethiswarningmessage.Formoreinformation,seeTID7005524(http:// www.novell.com/support/kb/doc.php?id=7005524). RedHatEnterpriseLinux(RHEL)AP5.4andlaterSupportPacks RHEL6APanditsSupportPacks RHEL6APvirtualization Xen(onSLES10andSLES11andtheirSupportPacks) VMwareESX 64bit(x86_64) SLES11SP1andlaterSupportPacks SLES10SP4andlaterSupportPacks RHELAP5.4andlaterSupportPacks RHEL6APanditsSupportPacks RHEL6APvirtualization VMwareESX Xen(onSLES10andSLES11andtheirSupportPacks)
NOTE:eDirectory8.8SP7issupportedonSLES10XENvirtualizationservicethatrunsthe SLES10guestOS.ThefollowingupdatesareavailableattheNovellUpdateWebsite (https://update.novell.com): SUSELinuxEnterpriseServerX86_6410020061011020434 SLES10Updates ForregisteringandupdatingSUSELinuxEnterprise10,refertoRegisteringSUSELinux EnterprisewiththeNovellCustomerCenter(http://www.suse.com/products/register.html). Afterinstallingthelatestupdate,ensurethattheminimumpatchleveloftheinstalled updateis3.0.2_097630.8. TodeterminetheversionofSUSELinuxyouarerunning,seethe/etc/SuSE-releasefile. EnsurethatthelatestglibcpatchesareappliedfromRedHatErrata(http://rhn.redhat.com/errata)on RedHatsystems.Theminimumrequiredversionoftheglibclibraryisversion2.1. Fora64biteDirectoryinstallation: SLES11SP164bitandlaterSupportPacks SLES10SP464bitandlaterSupportPacks RHEL5anditsSupportPacks RHEL6anditsSupportPacks VMwareESX RHELvirtualization(5.0and6.0) XEN(onSLES10andSLES11andtheirSupportPacks) NOTE:IfyouinstalleDirectoryonaSLES11SP2serverwithinaBTRFSfilesystem,youmay experienceperformanceissueswhenperformingLDAPoperationsorusingtheNovellImport ConversionExportUtility(ICE).Forperformancereasons,itisrecommendedthatyouusetheext3 filesystemforyoureDirectoryserver. eDirectoryalsorequiresthefollowing: Aminimumof512MBRAMforeDirectory 162MBofdiskspacefortheeDirectoryserver 30MBofdiskspacefortheeDirectoryadministrationutilities 150MBofdiskspaceforevery50,000users Ensurethatgettextisinstalled NOTE:Bydefault,gettextisnotinstalled.Ensurethatyouinstallitbeforeyourunndsinstall,or theinstallerdisplaysmessagesaboutitbeingmissing.OnSLES,gettextisavailableininstall CDs. Ensurethatthenet-snmp-32bitRPMisinstalledon64bitSLESorOESLinux.TheRPMis availableintheSLES1064bitinstallCD. IfyouuseZLMforpatchmanagement,applythehotpatchZLM6.6.2HP4beforeupgradingto eDirectory8.8SP7.OnserverssuchasVanillaSLES10orSLES10SP1,libredcarpetshouldbe upgradedtothelatestpatchlevelusingYaSTOnlineUpdate.
10
1.2
Prerequisites
IMPORTANT:CheckthecurrentlyinstalledNovellandThirdPartyapplicationstodetermineif thoseproductsaresupportedoneDirectory8.8beforeupgradingyourexistingeDirectory environment.TheprerequisitesforotherNovellproductscanbefoundontheNovellDocumentation site(http://www.novell.com/documentation/).WealsorecommendyoubackupaneDirectory instancebeforeperforminganyupgradesonthatinstance.
(Conditional)NovellInternationalCryptographicInfrastructure(NICI)2.7andeDirectory8.8
supportkeysizesupto4096bits.Ifyouwanttousea4KBkeysize,everyservermustbe upgradedtoeDirectory8.8.Inaddition,everyworkstationusingthemanagementutilities,for example,iManagerandConsoleOne,musthaveNICI2.7installedonit. WhenyouupgradeyourCertificateAuthority(CA)servertoeDirectory8.8,thekeysizewillnot changebutwillstillbe2KB.Theonlywaytocreatea4KBkeysizeisrecreatetheCAonan eDirectory8.8server.Inaddition,youwouldhavetochangethedefaultfrom2KBto4KBfor thekeysize,duringtheCAcreation. WhenyouinstalleDirectory,thendsinstallutilityautomaticallyinstallsNICI.Formore informationaboutinstallingeDirectory,seeSection 1.6.2,UsingthendsinstallUtilitytoInstall eDirectoryComponents,onpage 20.However,ifyouneedtoinstallonlyNICI,andnot eDirectoryitself,onaworkstationthathasthemanagementutilitiesinstalled,youmustinstall NICImanually.FormoreinformationaboutmanuallyinstallingNICI,seeInstallingNICIon page 23.
ServiceLocationProtocol(SLP)installedandconfigured
WitheDirectory8.8,SLPdoesnotgetinstalledaspartoftheeDirectoryinstallation. OnlyarootusercaninstallSLP. FormoreinformationoninstallingSLP,refertoUsingSLPwitheDirectoryonpage 19.
TheLinuxhostenabledformulticastrouting
Tocheckifthehostisenabledformulticastrouting,enterthefollowingcommand:
/bin/netstat -nr
Thefollowingentryshouldbepresentintheroutingtable:
224.0.0.0 0.0.0.0
Iftheentryisnotpresent,loginasrootandenterthefollowingcommandtoenablemulticast routing:
route add -net 224.0.0.0 netmask 240.0.0.0 dev interface
Theinterfacecouldbeavaluesuchaseth0,hme0,hme1,orhme2,dependingontheNICthatis installedandused. Formoreinformationonmulticastandbroadcastroutes,refertotheOpenSLPWebsite(http:// www.openslp.org/doc/html/UsersGuide/Installation.html).
Networkservertimesynchronized
UseNetworkTimeProtocols(NTP)xntpdtosynchronizetimeacrossallnetworkservers.
compat-libstdc++RPM
Ifthecompat-libstdc++RPMisnotpresentonyourhostmachine,installit.ThisRPMcontains libstdc++-libc6.1-1.so.2.
11
(Conditional)compat-libstdc++-33-3.2.3-61.i386.rpm
IfyouareinstallingeDirectoryonRHEL5.4,installcompat-libstdc++-33-3.2.361.i386.rpm.
compat
IfthecompatRPMisnotpresentonyourmachine,installit.ThisRPMorthencursesRPM containslibncurses.so.4.xorlibncurses.so.5.x.eDirectory8.8supports libncurses.so.4.xandlibncurses.so.5.x.
ForYaSTbasedinstallation,installthejava
libjvm.so.
1_4_2 jrepackage.Thiscontainslibjava.soand
(Conditional)Ifyouareinstallingasecondaryserver,allthereplicasinthepartitionthatyou
installtheproductonshouldbeintheOnstate.
(Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,createacontainerandthenpartitionit.Ensurethatyouhavethefollowingrights: Supervisorrightstothispartition. AllAttributesrights:read,compare,andwriterightsovertheW0.KAP.Securityobject. Entryrights:browserightsoverSecuritycontainerobject. AllAttributesrights:readandcomparerightsoverSecuritycontainerobject.
user,ensurethatatleastoneoftheserversinthetreehasthesameorhighereDirectoryversion asthatofthesecondarybeingaddedascontaineradmin.Incasethesecondarybeingaddedisof laterversion,thentheschemaneedstobeextendedbytheadministratorofthetreebefore addingthesecondaryusingcontaineradmin.
WhileconfiguringeDirectory,youmustenableSLPservicesandaNetWareCoreProtocol
(NCP)port(thedefaultis524)inthefirewalltoallowthesecondaryserveraddition. Additionally,youcanenablethefollowingserviceportsbasedonyourrequirements: LDAPcleartext389 LDAPsecured636 HTTPcleartext8028 HTTPsecured8030 Incase,ifyouhaveenableduserdefinedports,youmustmentiontheseportswhileconfiguring eDirectory.
Donotsettheuserdefinedportsto8008and8010whileupgradingeDirectory8.8SP2orlater
versionsto8.8SP7.Iftheportsaresetto8008or8010,ndsconfigassumesthattheserverisa preeDirectory8.8xserverandautomaticallyresetsthemto8028and8030respectively.
DuringeDirectoryupgrade,ifSecretStorehasnotalreadybeenconfiguredwiththeprevious
versions,oryoudonotwanttoconfigureSecretStore,usethe-m no_ssoptionwiththendsinstallutility.
Configuring Static IP Address

StaticIPaddressmustbeconfiguredontheserverfortheeDirectorytoperformefficiently. ConfiguringeDirectoryontheserverswithDHCPaddresscanleadtounpredictableresults.
12
1.3
Hardware Requirements
HardwarerequirementsdependonthespecificimplementationofeDirectory.Twofactorsincrease performance:morecachememoryandfasterprocessors.Forbestresults,cacheasmuchofthe DirectoryInformationBase(DIB)Setasthehardwareallows. eDirectoryscaleswellonasingleprocessor.However,NovelleDirectory8.8takesadvantageof multipleprocessors.Addingprocessorsimprovesperformanceinsomeareasforexample,logins andhavingmultiplethreadsactiveonmultipleprocessorsalsoimprovesperformance.eDirectory itselfisnotprocessorintensive,butitisI/Ointensive. ThefollowingtableillustratestypicalsystemrequirementsforeDirectoryforLinux:
Objects 100,000 1 million 10 million Processor Pentium III 450-700 MHz (single) Pentium III 450-700 MHz (dual) Pentium III 450-700 MHz (2 to 4) Memory 384 MB 2 GB 2+ GB Hard Disk 144 MB 1.5 GB 15 GB
Requirementsforprocessorsmightbegreaterthanthetableindicates,dependinguponadditional servicesavailableonthecomputeraswellasthenumberofauthentications,reads,andwritesthat thecomputerishandling.Processessuchasencryptionandindexingcanbeprocessorintensive.
1.4
Forcing the Backlink Process to Run

BecausetheinternaleDirectoryidentifierschangewhenupgradingtoNovelleDirectory,thebacklink processmustupdatebacklinkedobjectsforthemtobeconsistent. Backlinkskeeptrackofexternalreferencestoobjectsonotherservers.Foreachexternalreferenceon aserver,thebacklinkprocessensuresthattherealobjectexistsinthecorrectlocationandverifiesall backlinkattributesonthemasterofthereplica.Thebacklinkprocessoccurstwohoursafterthe databaseisopen,andthenevery780minutes(13hours).Theintervalisconfigurablefrom2minutes to10,080minutes(7days). AftermigratingtoeDirectory,starttheDSTraceprocessbyissuingthendstrace -l>log&command, whichrunstheprocessatthebackground.Thisallowsyoutoproperlyanalyzetheresultsofthe backlinkerprocess,whichtakes4to10minutes.Thenforcethebacklinkprocesstorunbyissuingthe ndstrace -c 'set ndstrace=*B'commandfromtheDSTraceOScommandprompt.Reviewthe resultsofthelogfilecreatedinthefirststep.ThenyoucanunloadtheDSTraceprocessbyissuingthe ndstrace -ucommand.Runningthebacklinkprocessisespeciallyimportantonserversthatdonot containareplica.
1.5
Upgrading eDirectory
Section 1.5.1,ServerHealthChecks,onpage 14 Section 1.5.2,UpgradingonLinuxServersOtherThanOES,onpage 14 Section 1.5.3,UnattendedUpgradeofeDirectoryonUNIX,onpage 15 Section 1.5.4,UpgradingeDirectoryonExistingOES,onpage 16 Section 1.5.5,UpgradingeDirectoryDuringOES1.0toOES2.0Upgrade,onpage 16 Section 1.5.6,UpgradingtheTarballDeploymentofeDirectory8.8,onpage 16
13
Section 1.5.7,UpgradingMultipleInstances,onpage 18 Section 1.5.8,DiskSpaceCheckonUpgradingtoeDirectory8.8SP7,onpage 18 IMPORTANT:EnsurethatsupportedversionofSSPisinstalledoneDirectory8.7.3SPxbefore upgradingtoeDirectory8.8SP7. ForeDirectory8.7.3SP9,ensurethatSSP203isinstalled. ForeDirectory8.7.3SP10,ensurethatSSP206isinstalled. NOTE:Thendsconfig upgradecommandisusedtoupgradethenecessaryconfigurationofthe individualcomponentssuchasHTTP,LDAP,SNMP,SAS,andNovellModularAuthentication Service(NMAS).eDirectorydatabaseisupgradedtoanewformatifeDirectoryversionspriorto eDirectory8.8SP1areupgradedtoeDirectory8.8SP7.
1.5.1
Server Health Checks

WitheDirectory8.8,whenyouupgradeeDirectory,aserverhealthcheckisconductedbydefaultto ensurethattheserverissafefortheupgrade: Section B.3.2,PartitionsandReplicaHealth,onpage 153 Basedontheresultsobtainedfromthehealthchecks,theupgradewilleithercontinueorexitas follows: Ifallthehealthchecksaresuccessful,theupgradewillcontinue. Ifthereareminorerrors,theupgradewillpromptyoutocontinueorexit. Iftherearecriticalerrors,theupgradewillexit. SeeAppendix B,eDirectoryHealthChecks,onpage 151foralistofminorandcriticalerror conditions.
Skipping Server Health Checks

Toskipserverhealthchecks,runnds-install -jorndsconfig upgrade -jfromtheinstallation folder. Formoreinformation,seeAppendix B,eDirectoryHealthChecks,onpage 151.
1.5.2
Upgrading on Linux Servers Other Than OES

IfyouhaveeDirectory8.5.xor8.6.x,youhavetofirstupgradetoeDirectory8.7.xandthenupgradeto eDirectory8.8. ToupgradetoeDirectory8.8,usethendsinstallutility.ThisutilityislocatedintheSetupdirectoryof thedownloadedfileforLinuxplatform.EnterthefollowingcommandfromtheSetupdirectory:
./nds-install
AftertheupgradetoeDirectory8.8,thedefaultlocationoftheconfigurationfiles,datafiles,andlog filesarechangedto/etc/opt/novell/eDirectory/conf,/var/opt/novell/eDirectory/data, and/var/opt/novell/eDirectory/log,respectively. Thenewdirectory/var/opt/novell/eDirectory/datausesasymboliclinktothe/var/nds directory.
14
Theoldconfigurationfile/etc/nds.confismigratedto/etc/opt/novell/eDirectory/conf directory.Theoldconfigurationfile/etc/nds.confandtheoldlogfilesunder/var/ndsare retainedforreference. NOTE:Runndsconfig upgradeafterndsinstall,iftheupgradeoftheDIBfailsandndsinstallasks todoso. NOTE:Healthcheckfailsduetotimesync.Toresolvethisissue,performatimesyncbetweenthe instances.Youcanignorethiswarningmessageduringupgrade.
1.5.3
Unattended Upgrade of eDirectory on UNIX

OnUNIXplatform,eDirectoryprovidesswitchesandoptionsalongwiththeinstallscriptand configurationutilitythatfacilitatestheunattendedupgrade.Thefollowingsectionsdiscussvarious stepsforunattendedeDirectoryupgradeonUNIX:
1 PerformthehealthcheckofeDirectory:
Healthcheckofalltherootinstancesplannedforupgradeismanuallydonebyusingndscheck utility.
export LD_LIBRARY_PATH, SHLIB_PATH and LIBPATH to the <untarred location of eDirectory>/eDirectory/setup/utils 1a Runndscheckusingoneofthebelowcommands: <untarred location of eDirectory>/eDirectory/setup/utils/ndscheck -a <user name> -w passwd --config-file <nds.conf with absolute path>
Passingthepasswordthroughenvironmentvariable:<untarred location of 88SP7>/ eDirectory/setup/utils/ndscheck -a <user name> -w env:<environment variable> --config-file <nds.conf with absolute path> Passingthepasswordthroughfile:<untarred location of 88SP7>/eDirectory/ setup/utils/ndscheck -a <user name> -w file:<filename> --config-file <nds.conf with absolute path> Anyoneoftheabovecanbeusedintheautomatedscriptforthehealthcheck.Forexample:
/Builds/eDirectory/utils/ndscheck -a admin.novell -w n /Builds/eDirectory/utils/ndscheck -a admin.novell -w env:ADM_PASWD /Builds/eDirectory/utils/ndscheck -a admin.novell -w file:adm_paswd 2 UpgradetheeDirectory8.8packages: 2a Runthendsinstallscripttoupgradethepackagesasbelow: nds-install -u -i -j 3 Updatethefollowingenvironmentvariables: PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/ndsmodules:/opt/novell/lib:$LD_LIBRARY_PATH MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale 4 UpgradeeDirectorybyusingthendsconfigutilityforalltherootinstancesbyusingthe
followingcommands:
ndsconfig upgrade -a <user name> -w passwd -c --config-file <nds.conf with absolute path>
15
Passingthepasswordthroughenvironmentvariable:ndsconfig upgrade -a <user name> -w env:<environment variable> -c --config-file <nds.conf with absolute path> Passingthepasswordthroughfile:ndsconfig upgrade -a <user name> -w file:<filename with absolute/relative path> -c --config-file <nds.conf with absolute path> AnyoftheabovecanbeusedintheautomatedscriptfortheeDirectoryupgrade.Forexample:
ndsconfig upgrade -a admin.novell -w n -c -config-file /etc/opt/novell/ eDirectory/conf/nds.conf ndsconfig upgrade -a admin.novell -w env:ADM_PASWD -c --config-file /etc/opt/ novell/eDirectory/conf/nds.conf ndsconfig upgrade -a admin.novell -w file:/Builds/88SP7/adm_paswd -c --configfile /etc/opt/novell/eDirectory/conf/nds.conf
1.5.4
Upgrading eDirectory on Existing OES

FormoreinformationonupgradingeDirectoryonanexistingOESinstallation,refertothe Updating(Patching)anOES2SP3Server(http://www.novell.com/documentation/oes2/ inst_oes_lx/data/bxlu3xc.html)sectionintheOESInstallationGuide.
1.5.5
Upgrading eDirectory During OES 1.0 to OES 2.0 Upgrade

eDirectoryshouldbeupgradedwhenOESupgradesfromOES1.0toOES2.0.Formoreinformation onOESupgrade,refertotheOESLinuxInstallationGuide(http://www.novell.com/documentation/ oes/install_linux/data/bujr8yu.html). PerformthefollowingchecksbeforeupgradingtheOESoreDirectoryserver: eDirectoryHealthCheck EnsurethateDirectoryhealthstatusisnormalusingtheproceduresspecifiedinAppendix B, eDirectoryHealthChecks,onpage 151.Youcanusetheapplicabletoolsforverification: UseiMonitorforeDirectoryversionpriorto8.8,seeUsingNovelliMonitorintheNovell eDirectory8.8SP7AdministrationGuide. UsendscheckutilityforeDirectoryversion8.8orlater,seeGeneralUtilitiesintheNovell eDirectory8.8SP7AdministrationGuide. DiskSpaceCheck ForeDirectoryversionpriorto8.8SP1,ensurediskspaceavailableonthefilesystemthatholds theDIBatleastequalstheDIBsize.Forexample,iftheDIBsizeis100MB,theavailabledisk spaceshouldnotbelessthan100MB. IftheeDirectoryhealthstatusisnotnormaloranerrorisdetected,refertotheSection B.5,Log Files,onpage 155.
1.5.6
Upgrading the Tarball Deployment of eDirectory 8.8

IfyouwanttoupgradethetarballdeploymentfromeDirectory8.8toeDirectory8.8SP7,performthe followingsteps:
1 Downloadthetarballbuild. 2 Takebackupofthefollowingconfigurationfiles:
$NDSHOME/eDirectory/etc/opt/novell/eDirectory/conf/ndsimon.conf
16
$NDSHOME/eDirectory/etc/opt/novell/eDirectory/conf/ice.conf $NDSHOME/eDirectory/etc/opt/novell/eDirectory/conf/ndsimonhealth.conf $NDSHOME/eDirectory/etc/opt/novell/eDirectory/conf/ndssnmp/ndssnmp.cfg $NDSHOMEisthelocationwhereeDirectoryisinstalled.

3 ForupgradeofeDirectoryversionslowerthan8.8SP1,dothefollowing:
Performdiskspacecheckusingndscheck -D --config-file conf_file_path CreateanemptyfileupgradeDIBundertheDIBlocationofeachserverinstance. Thelistofinstancescanbeobtainedusingthendsmanageutility.

4 Runpreupgradehealthcheckfortheallinstancesusingndscheckandcheckthendscheck.log
fileforanyerrorsbeforeproceedingwiththeupgrade.
5 Stopallinstancesusingndsmanage. 6 Untarthetarballinthesamelocation($NDSHOME)whereeDirectoryisinstalled.Byuntarringthe
tarballinthesamelocation,youareoverwritingthebinariesandlibraries.
7 Upgradethefollowingpackagesifnecessary.
Platform Linux 32-bit Command Packages
rpm -Uvh <rpm name>
novell-NOVLsubag-8.8.61.i586.rpm novell-NDSslp-8.8.21.i386.rpm nici-2.7.0-0.01.i386.rpm novell-NDSslp-8.81.i386.rpm
Linux 64-bit
novell-NOVLsubag-8.8.61.x86_64.rpm nici64-2.7.60.01.x86_64.rpm
NOTE: For more information on installing 32 and 64-bit NICI, refer to the Installing NICI on page 23.
Solaris 32-bit
Remove the older version using the command pkgrm <pkg name>. Install new version using the command pkgadd -d <pkg name>.
NOVLsubag.pkg NOVLniu0.pkg NDSslp.pkg
Solaris 64-bit
NOVLsubagx.pkg NOVLniu64.pkg
AIX
installp -acgXd <pkg name with full path> <pkg name> all
NDS.NOVLsubag.8.8.6.0 NOVLniu0.2.7.6.0 NDS.NDSslp.8.8.2.0
8 Restoretheconfigurationfiles.
17
9 Runthe$NDSHOME/eDirectory/opt/novell/eDirectory/bin/ndspathforsettingall
environmentvariables.
10 Runndsconfig upgrade -jforallinstances.Whilerunningndsconfig upgradefollowthe
orderinwhichthemasterreplicaisthefirstandfollowedbyRead/Writeandothers.
1.5.7
Upgrading Multiple Instances

Thissectioncontainsthefollowinginformation: RootUserhasMultipleInstancesonpage 18 NonRootUsersInstancesonpage 18 OrderofUpgradeonpage 18
Root User has Multiple Instances

Ifyourunndsinstallafterupgradingthepackage,itpromptsyoutoupgradetheDIBfilesofallthe eDirectoryserverinstances,whichmighttakealongtimetocomplete.IfyouwishtoperformtheDIB upgradeinparallel,youcandoitmanually.ForinformationaboutmanuallyupgradingtheDIB, refertotheeDirectoryReadme(http://www.novell.com/documentation/edir88/ edir887_unix_readme/data/edir887_unix_readme.html).IfyouupgradetheDIBforalltheactive instancesonebyone,itrunsthendsconfig upgradecommandseparatelyforeachinstance.Ifyou havealargerDIB,youcanselectNoandrunthendsconfig upgradeinparallelinseparateshells, whichcanreducetheupgradetimeofeachinstance.
Non Root User's Instances

Ifyouhavenonrootusersinstanceswhichareusingrootusersbinaries,beforedoingthepackage upgradeyouneedtorunndscheckforsuchinstancesandmakesurethattheirhealthisproperby referringthendscheck.logfile.Ifyourunndsinstall,itstopsalltheinstances,includingthenon rootusersinstances.Afterdoingthepackageupgrade,thends-installcommanddoesnotcall ndsconfig upgradefornonrootusersinstances.Youneedtomanuallyrunndsconfig upgradefor allnonrootusersinstancestostarttheseinstances.
Order of Upgrade
Whilerunningndsconfig upgrade,itisrecommendedtofollowtheorderinwhichmasterreplica comesfirstandthenRead/Writeorotherreplicas.
1.5.8
Disk Space Check on Upgrading to eDirectory 8.8 SP7

WheneDirectoryserverisupgradedfrompreviousversionstoeDirectory8.8SP7,thediskspace checkfortheDIBupgradewouldbeperformed.Thefreediskspacenecessaryinthefilesystem, wheretheDIBresideswouldbeequaltothatoftheDIBsize.Themessagesofthediskspacecheck wouldbeupdatedinthendscheck.loglocatedintheinstancesspecificlogdirectory.Fordefault instance,/var/opt/novell/eDirectory/log/ndscheck.log. NOTE:ThediskspacecheckisrequiredonlyduringtheDIBupgradeprocess.Formoreinformation, refertoChapter 6,UpgradeRequirementsofeDirectory8.8,onpage 95.
18
1.6
Installing eDirectory
ThefollowingsectionsprovideinformationaboutinstallingNovelleDirectoryonLinux: Section 1.6.1,UsingSLPwitheDirectory,onpage 19 Section 1.6.2,UsingthendsinstallUtilitytoInstalleDirectoryComponents,onpage 20 Section 1.6.3,NonrootUserInstallingeDirectory8.8,onpage 23 Section 1.6.4,UsingthendsconfigUtilitytoAddorRemovetheeDirectoryReplicaServer,on page 26 Section 1.6.5,UsingndsconfigtoConfigureMultipleInstancesofeDirectory8.8,onpage 31 Section 1.6.6,UsingndsconfigtoInstallaLinuxServerintoaTreewithDottedName Containers,onpage 36 Section 1.6.7,UsingthenmasinstUtilitytoConfigureNMAS,onpage 37 Section 1.6.8,NonrootuserSNMPconfiguration,onpage 38
1.6.1
Using SLP with eDirectory

InearlierreleasesofeDirectory,SLPwasinstalledduringtheeDirectoryinstall.ButwitheDirectory 8.8,youneedtoseparatelyinstallSLPbeforeproceedingwiththeeDirectoryinstall. IfyouplantouseSLPtoresolvetreenames,youshouldinstallandconfiguretheprotocol,andthe SLPdirectoryagents(DAs)shouldbestable.
1 InstallOpenSLP,ifitisnotalreadyinstalled. 2 FollowtheonscreeninstructionstocompletetheSLPinstallation. 3 StartSLPmanuallyasfollows: /etc/init.d/slpd start
Formoreinformation,refertoAppendix C,ConfiguringOpenSLPforeDirectory,onpage 157. Similarly,whenyouuninstalltheSLPpackage,youneedtostopSLPmanually,asfollows:

/etc/init.d/slpd stop
Ifyoudontwantto(orcannot)useSLP,youcanusetheflatfilehosts.ndstoresolvetreenamesto serverreferrals.Thehosts.ndsfilecanbeusedtoavoidSLPmulticastdelayswhenSLPDAisnot presentinthenetwork.

hosts.ndsisastaticlookuptableusedbyeDirectoryapplicationstosearcheDirectorypartitionand servers.Inthehosts.ndsfile,foreachtreeorserver,asinglelinecontainsthefollowinginformation:
Tree/ServerName:Treenamesendwithatrailingdot(.). InternetAddress:ThiscanbeaDNSnameorIPaddress. ServerPort:Optional,appendedwithacolon(:)totheInternetaddress. LocalserverneednothaveanentryinthisfileunlessitislisteningonnondefaultNCPport. Thesyntaxfollowedinthehosts.ndsfileisasfollows:

<[partition name.]tree name>. <host-name/ip-addr>[:<port>] <server name> <dns-addr/ip-addr>[:<port>]
Forexample:
19
# This is an example of a hosts.nds file: # Tree name Internet address/DNS Resolvable Name CORPORATE. myserver.mycompany.com novell.CORPORATE. 1.2.3.4:524 # Server name CORPSERVER Internet address myserver.mycompany.com
Seethehosts.ndsmanpageformoredetails. IfyoudecidetouseSLPtoresolvethetreenametodetermineiftheeDirectorytreeisadvertised, aftereDirectoryandSLPareinstalled,enterthefollowing:

/usr/bin/slptool findattrs services:ndap.novell///(svcname-ws==[treename or *])"
Forexample,tosearchfortheserviceswhosesvcname-wsattributematchwiththevalue SAMPLE_TREE,enterthefollowingcommand:
/usr/bin/slptool findattrs services:ndap.novell///(svcname-ws==SAMPLE_TREE)/"
Ifyouhaveaserviceregisteredwithitssvcname-wsattributeasSAMPLE_TREE,thentheoutputwill besimilartothefollowing:
service:ndap.novell:///SAMPLE_TREE
Ifyoudonothaveaserviceregisteredwithitssvcname-wsattributeasSAMPLE_TREE,therewillbeno output. Formoreinformation,seeAppendix C,ConfiguringOpenSLPforeDirectory,onpage 157.
1.6.2
Using the nds-install Utility to Install eDirectory Components

UsethendsinstallutilitytoinstalleDirectorycomponentsonLinuxsystems.Thisutilityislocatedin theSetupdirectoryofthedownloadedfilefortheLinuxplatform.Theutilityaddstherequired packagesbasedonwhatcomponentsyouchoosetoinstall. IMPORTANT:IftheZENworksLinuxManagementclientisinstalledandthedaemon(rcd)is running,thenbeforerunningndsinstall,stopthedaemonusingthecommand/etc/init.d/rcd stop.
1 Enterthefollowingcommandatthesetupdirectory: ./nds-install
Ifyoudonotprovidetherequiredparametersinthecommandline,thendsinstallutilitywill promptyoufortheparameters. Thefollowingtableprovidesadescriptionofthendsinstallutilityparameters:

nds-install Parameter Description Displays help for nds-install. Prevents the nds-install script from invoking the ndsconfig upgrade command if a DIB is detected at the time of the upgrade. Jumps or overrides the health check option before installing eDirectory. For more information about health checks, refer to Appendix B, eDirectory Health Checks, on page 151.
-h or --help -i -j
20
nds-install Parameter
Description Specifies the module name to configure. While configuring a new tree, you can configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and Novell SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed. Specifies the option to use in an unattended install mode. For unattended install to proceed, you need to enter at least the -c option at the command line, or else the install will abort.
-m
-u
TheinstallationprograminstallsthefollowingRPMs:
eDirectory Component eDirectory Server Packages Installed Description The eDirectory replica server is installed on the specified server.
novell-NDSbase novell-NDScommon novell-NDSmasv novell-NDSserv novell-NDSimon novell-NDSrepair novell-NDSdexvnt novell-NOVLsubag novell-NOVLsnmp novell-NOVLpkit novell-NOVLpkis novell-NOVLpkia novell-NOVLembox novell-NOVLlmgnt novell-NOVLxis novell-NLDAPsdk novell-NLDAPbase novell-NOVLsas novell-NOVLntls novell-NOVLnmas novellNOVLldif2dib novell-NOVLncp
21
eDirectory Component Administration Utilities
Packages Installed
Description The Novell Import Conversion Export and LDAP Tools administration utilities are installed on the specified workstation.
novell-NOVLice novell-NDSbase novell-NLDAPbase novell-NLDAPsdk novell-NOVLpkia novell-NOVLxis novell-NOVLlmgnt
2 Ifyouareprompted,enterthecompletepathtothelicensefile.
Youwillbepromptedtoenterthecompletepathtothelicensefileonlyiftheinstallation programcannotlocatethefileinthedefaultlocation.Thedefaultlocationisthe/var,the mountedlicensediskette,orthecurrentdirectory. Ifthepathyouenteredisnotvalid,youwillbepromptedtoenterthecorrectpath.

3 Aftertheinstallationiscomplete,youneedtoupdatethefollowingenvironmentvariablesand
exportthem.Youcaneitherdoitmanuallyoruseascript. Manuallyexporttheenvironmentvariablesbyenteringthefollowingcommands: For32bit

export LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/ eDirectory/lidirb/nds-modules:/opt/novell/lib:$LD_LIBRARY_PATH
For64bit
export LD_LIBRARY_PATH=/opt/novell/eDirectory/lib64:/opt/novell/ eDirectory/lib64/nds-modules:/opt/novell/lib64:$LD_LIBRARY_PATH export MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR
Usethendspathscripttoexporttheenvironmentvariablesbyperformingthefollowing steps: Ifyoudonotwanttoexportthepathsmanually,youcanusethe/opt/novell/ eDirectory/bin/ndspathscriptasfollows: Prefixthendspathscripttotheutilityandruntheutilityyouwantasfollows:

/opt/novell/eDirectory/bin/ndspath utility_name_with_parameters
NOTE:Whenyouprefixthendspathscripttothecommandswitharguments,specify theargumentsindoublequotes. Forexample:

/opt/novell/eDirectory/bin/ndspath ldapconfig "-s ldapTLSRequired=yes"
Exportthepathsinthecurrentshellasfollows:
. /opt/novell/eDirectory/bin/ndspath
Afterenteringtheabovecommand,runtheutilitiesasyouwouldnormallydo. Thepathexportinginstructionsshouldbeplacedattheendof/etc/profileor~/ bashrcorsimilarscripts.Therefore,wheneveryouloginoropenanewshell,youcan startusingtheutilitiesdirectly.
22
YoucanusethendsconfigutilitytoconfigureeDirectoryServerafterinstallation. NovellModularAuthenticationService(NMAS)isinstalledaspartoftheservercomponent.By default,ndsconfigconfiguresNMAS.YoucanalsousethenmasinstutilitytoconfigureNMASserver afterinstallation.ThismustbedoneafterconfiguringeDirectorywithndsconfig. Formoreinformationonthendsconfigutility,seeThendsconfigUtilityonpage 101. Formoreinformationonthenmasinstutility,seeUsingthenmasinstUtilitytoConfigureNMAS onpage 37. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
1.6.3
Nonroot User Installing eDirectory 8.8

AnonrootusercaninstalleDirectory8.8usingthetarball.
Prerequisites
IfyouwanttoinstalleDirectoryusingthetarballandnotthendsinstallutility,ensurethatNICI
isinstalled.ForinformationoninstallingNICI,refertoInstallingNICIonpage 23.
EnsurethatSNMPsubagentisinstalledusingthecommandrpm
subagent rpm>.
--nodeps <path of snmp
IfyouwanttouseSLPandSNMP,ensurethattheyareinstalledbytherootuser. WriterightstothedirectorywhereyouwanttoinstalleDirectory.
Ifyouareanonadministratoruser,ensurethatyouhavetheappropriaterightsasmentionedin theSection 1.2,Prerequisites,onpage 11section.
Installing NICI
NICIshouldbeinstalledbeforeyouproceedwiththeeDirectoryinstallation.Becausetherequired NICIpackagesareusedsystemwide,werecommendyouusetherootusertoinstallthenecessary packages.However,ifnecessaryyoucandelegateaccesstoadifferentaccountusingsudoanduse thataccounttoinstalltheNICIpackages. WitheDirectory8.8SP3orlaterversions,32and64bitapplicationscancoexistinasinglesystem. Thisrequiresinstallingboththe32and64bitversionsofNICI.
Root User Installing NICI

ToinstallNICI,enterbothofthefollowingcommands: 32bit:rpm -ivh NICI_rpm_absolute_path/nici-2.7.4-0.01.i386_64.rpm 64bit:rpm -ivh NICI_rpm_absolute_path/nici64-2.7.4-0.01.x86.rpm
23
Nonroot User Installing NICI

NonrootuserscanmakeuseofthesudoutilitytoinstallNICI.sudo(superuserdo)allowsarootuser togivecertainuserstheabilitytorunsomecommandsasroot.Arootusercandothisbyeditingthe /etc/sudoersconfigurationfileandaddingappropriateentriesinit. Formoreinformation,refertothesudoWebsite(http://www.sudo.ws/). WARNING:sudoenablesyoutogivelimitedrootpermissionstononrootusers.Therefore,youmust understandthesecurityimplicationsbeforeproceeding. Arootuserneedstocompletethefollowingproceduretoenableanonrootuser(forexample,john)to installNICI:
1 Loginasroot. 2 Editthe/etc/sudoersconfigurationfileusingthevisudocommand.
NOTE:Thereisnospacebetweenviandsudointhecommand. Makeanentrywiththefollowinginformation:
Username hostname=(root) NOPASSWD: /bin/rpm
Forexample,toenableuserjohntorun/bin/rpmasrootonthehostnamelnx2,typethe following:
john lnx-2=(root) NOPASSWD: /bin/rpm
Anonrootuser(john,inthisexample)needstodothefollowingtoinstallNICI:
1 Loginasjohnandexecutethefollowingcommand: sudo rpm -ivh nici_rpm_file_name_with_path
Forexample:
sudo rpm -ivh /88/Linux/Linux/setup/nici-2.7.0-5.i386.rpm 2 ToinitializeNICI,enterthefollowing: ln -sf /var/opt/novell/nici /var/novell/nici
ToensurethatNICIissettoservermode,enterthefollowing:
/var/opt/novell/nici/set_server_mode
NICIgetsinstalledintheservermode.
1 GotothedirectorywhereyouwanttoinstalleDirectory. 2 Untarthetarfileasfollows: tar xvf /tar_file_name
Theetc,opt,andvardirectoriesarecreated.
3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariablesbyenteringthefollowingcommands: For32bit
24
export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/ eDirectory/lib:custom_location/eDirectory/opt/novell/eDirectory/lib/ nds-modules:custom_location/eDirectory/opt/novell/lib:$LD_LIBRARY_PATH export PATH=custom_location/eDirectory/opt/novell/eDirectory/ bin:custom_location/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/ eDirectory/bin:$PATH export MANPATH=custom_location/eDirectory/opt/novell/ man:custom_location/eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/ share/locale:$TEXTDOMAINDIR
For64bit
export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/ eDirectory/lib64:custom_location/eDirectory/opt/novell/eDirectory/ lib64/nds-modules:custom_location/eDirectory/opt/novell/ lib64:$LD_LIBRARY_PATH export PATH=custom_location/eDirectory/opt/novell/eDirectory/ bin:custom_location/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/ eDirectory/bin:$PATH export MANPATH=custom_location/eDirectory/opt/novell/ man:custom_location/eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/ share/locale:$TEXTDOMAINDIR
Usethendspathscripttoexporttheenvironmentvariablesbyperformingthefollowing steps: Ifyoudonotwanttoexportthepathsmanually,prefixthendspathscripttotheutility. Runtheutilityyouwantasfollows:

custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath utility_name_with_parameters
. custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath
NOTE:Ensurethatyouentertheabovecommandsfromthecustom_location/ eDirectory/optdirectory. Afterenteringtheabovecommands,runtheutilitiesasyouwouldnormallydo. Callthescriptinyourprofile,bashrc,orsimilarscripts.Therefore,wheneveryoulog inoropenanewshell,youcanstartusingtheutilitiesdirectly.

4 ConfigureeDirectoryintheusualmanner.
YoucanconfigureeDirectoryinanyofthefollowingways: Usethendsconfigutilityasfollows:
ndsconfig new [-t <treename>] [-n <server_context>] [-a <admin_FDN>] [-w <admin password>] [-i] [-S <server_name>] [-d <path_for_dib>] [-m <module>] [e] [-L <ldap_port>] [-l <SSL_port>] [-o <http_port>] -O <https_port>] [-p <IP address:[port]>] [-c] [-b <port_to_bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>]
Forexample:
25
ndsconfig new -t mary-tree -n novell -a admin.novell -S linux1 -d /home/ mary/inst1/data -b 1025 -L 1026 -l 1027 -o 1028 -O 1029 -D /home/mary/ inst1/var --config-file /home/mary/inst1/nds.conf
Theportnumbersyouenterneedtobeintherange1024to65535.Portnumberslesserthan 1024arenormallyreservedforthesuperuserandstandardapplications.Therefore,you cannotassumethedefaultport524foranyeDirectoryapplications. Thismightcausethefollowingapplicationstobreak: Theapplicationsthatdonthaveanoptiontospecifythetargetserverport. TheolderapplicationsthatuseNCP,andrunasrootfor524. Usethendsmanageutilitytoconfigureanewinstance.Formoreinformation,refertothe CreatinganInstancethroughndsmanageonpage 32. Followtheonscreeninstructionstocompletetheconfiguration. Formoreinformation,seeSection 1.6.4,UsingthendsconfigUtilitytoAddorRemovethe eDirectoryReplicaServer,onpage 26. IMPORTANT:SecurityServicescannotbeupdatedseparatelywiththetarballinstallationof eDirectoryunlikethepackageinstalls.Fortarballinstallation,thesecurityupdatescanbeobtained onlythrougheDirectorysupportpacks. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
1.6.4
Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server
AfterinstallingeDirectory,configuretheeDirectoryreplicaserverusingthendsconfigutility.You musthaveAdministratorrightstousethendsconfigutility.Whenthisutilityisusedwitharguments, itvalidatesallargumentsandpromptsforthepasswordoftheuserhavingAdministratorrights.If theutilityisusedwithoutarguments,ndsconfigdisplaysadescriptionoftheutilityandavailable options.ThisutilitycanalsobeusedtoremovetheeDirectoryReplicaServerandchangethecurrent configurationofeDirectoryServer.Formoreinformation,seeThendsconfigUtilityonpage 101.
Prerequisite for Configuring eDirectory in a Specific Locale

IfyouwanttoconfigureeDirectoryinaspecificlocale,youneedtoexportLC_ALLandLANGto thatparticularlocalebeforeeDirectoryconfiguration.Forexample,toconfigureeDirectoryinthe Japaneselocale,enterthefollowing:
export LC_ALL=ja export LANG=ja
Creating A New Tree

Usethefollowingsyntax:
26
ndsconfig new [-t <treename>] [-n <server context>] [-a <admin FDN>] [-i] [-S <server name>] [-d <path for dib>] [-m <module>] [e] [-L <ldap port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-p <IP address:[port]>] [-R] [-c] [-w <admin password>] [-b <port to bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>]
Anewtreeisinstalledwiththespecifiedtreenameandcontext. Thereisalimitationonthenumberofcharactersinthetree_name,admin FDNandserver FDN variables.Themaximumnumberofcharactersallowedforthesevariablesisasfollows: tree_name:32characters admin FDN:255characters server FDN:255characters Iftheparametersarenotspecifiedinthecommandline,ndsconfigpromptsyoutoentervaluesfor eachofthemissingparameters. Or,youcanalsousethefollowingsyntax:
ndsconfig def [-t <treename>] [-n <server context>] [-a <admin FDN>] [-w <admin password>] [-c] [-i] [-S <server name>] [-d <path for dib>] [-m <module>] [-e] [-L <ldap port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-D <custom_location>] [--config-file <configuration_file>]
Anewtreeisinstalledwiththespecifiedtreenameandcontext.Iftheparametersarenotspecifiedin thecommandline,ndsconfigtakesthedefaultvalueforeachofthemissingparameters. Forexample,tocreateanewtree,youcouldenterthefollowingcommand:

ndsconfig new -t corp-tree -n o=company -a cn=admin.o=company
Adding a Server into an Existing Tree

ndsconfig add [-t <treename>] [-n <server context>] [-a <admin FDN>] [-w <admin password>] [-e] [-P <LDAP URL(s)>][-L <ldap port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-S <server name>] [-d <path for dib>] [-m <module>] [-p <IP address:[port]>] [-R] [-c] [-b <port to bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>] [-E]
Aserverisaddedtoanexistingtreeinthespecifiedcontext.Ifthecontextthattheuserwantstoadd theServerobjecttodoesnotexist,ndsconfigcreatesthecontextandaddstheserver. LDAPandsecurityservicescanalsobeaddedaftereDirectoryhasbeeninstalledintotheexisting tree. Forexample,toaddaserverintoanexistingtree,youcouldenterthefollowingcommand:

ndsconfig add -t corp-tree -n o=company -a cn=admin.o=company -S srv1
Youcanenableencryptedreplicationintheserveryouwanttoaddusingthe-Eoption.Formore informationonencryptedreplication,seeEncryptedReplicationintheNovelleDirectory8.8SP7 AdministrationGuide.
Removing a Server Object And Directory Services From a Tree

ndsconfig rm [-a <admin FDN>] [-w <admin password>] [-p <IP address:[port]>] [-c]
27
eDirectoryanditsdatabaseareremovedfromtheserver. NOTE:TheHTMLfilescreatedusingiMonitorwillnotberemoved.Youmustmanuallyremove thesefilesfrom/var/opt/novell/eDirectory/data/dsreportsbeforeremovingeDirectory. Forexample,toremovetheeDirectoryServerobjectanddirectoryservicesfromatree,youcould enterthefollowingcommand:

ndsconfig rm -a cn=admin.o=company
ndsconfig Utility Parameters

ndsconfig Parameter Description Creates a new eDirectory tree. If the parameters are not specified in the command line, ndsconfig prompts you to enter values for each of the missing parameters. Creates a new eDirectory tree. If the parameters are not specified in the command line, ndsconfig takes the default value for each of the missing parameters. Adds a server into an existing tree. Also adds LDAP and SAS services, after eDirectory has been configured in the existing tree. Removes the Server object and directory services from a tree. NOTE: This option does not remove the key material objects. These objects must be removed manually.
new def add rm
upgrade -i -S server name
Upgrades eDirectory to a later version. While configuring a new tree, ignores checking whether a tree of the same name exists. Multiple trees of the same name can exist. Specifies the server name. The server name can also contain dots (for example, novell.com). Because ndsconfig is a command line utility, using containers with dotted names requires that those dots be escaped out, and the parameters containing these contexts must be enclosed in double quotes. For example, to install a new eDirectory tree on a UNIX server using novell.com as the name of the O, use the following command:
ndsconfig new -a "admin.novell\\.com" -t novell_tree -n "OU=servers.O=novell\\.com"

The Admin name and context and the server context parameters are enclosed in double quotes, and only the '.' in novell.com is escaped using the '\\' (backslash) character. You can also use this format when installing a server into an existing tree. NOTE: You cannot start a name with a dot. For example, you cannot install a server that has the name .novell, because it starts with a dot ('.').
-t treename
The tree name to which the server has to be added. It can have a maximum of 32 characters. If not specified, ndsconfig takes the tree name from the n4u.nds.treename parameter that is specified in the /etc/opt/novell/eDirectory/conf/ nds.conf file. The default treename is $LOGNAME-$HOSTNAME-NDStree.
28
ndsconfig Parameter
Description Specifies the context of the server in which the server object is added. It can have a maximum of 64 characters. If the context is not specified, ndsconfig takes the context from the configuration parameter n4u.nds.server-context specified in the /etc/ opt/novell/eDirectory/conf/nds.conf file. The server context should be specified in the typed form. The default context is org. The directory path where the database files will be stored.
-n server context
-d path for dib -r -L ldap_port -l ssl_port -a admin FDN
This option forcefully adds the replica of the server regardless of the number of servers already added to the server. Specifies the TCP port number on the LDAP server. If the default port 389 is already in use, it prompts for a new port. Specifies the SSL port number on the LDAP server. If the default port 636 is already in use, it prompts for a new port. Specifies the fully distinguished name of the User object with Supervisor rights to the context in which the server object and Directory services are to be created. The admin name should be specified in the typed form. It can have a maximum of 64 characters. The default admin name is admin.org. Enables clear text passwords for LDAP objects.
-e
Specifies the module name to configure. While configuring a new tree, you can -m modulename configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and Novell SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed. NOTE: If you do not want to configure Novell SecretStore during eDirectory upgrade through nds-install, pass the no_ss value to this option. For example, ndsinstall '-m no_ss'.
-o -O
Specifies the HTTP clear port number. Specifies the HTTP secure port number.
-p <IP This option is used for secondary server addition (add command) to a tree. It specifies address:[p the IP address of the remote host that holds a replica of the partition to which this server is being added. The default port number is 524. This helps in faster lookup of ort]>
the tree since it avoids SLP lookup.
-R -c
By default a replica of the partition to which the server is added would be replicated to the local server. This option disallows adding replicas to the local server. This option avoids prompts during ndsconfig operation, such as yes/no to continue the operation, or prompt to re-enter port numbers when there is a conflict, etc. The user receives prompts only for entering mandatory parameters if they are not passed on command line. This option allows passing the admin user password in clear text. NOTE: Since password is passed in clear text, this is not recommended as a safe option owing to password insecurity. Enables encrypted replication for the server you are trying to add. Jumps or overrides the health check option before installing eDirectory.
-w <admin password>
-E -j
29
ndsconfig Parameter
Description Sets the default port number on which a particular instance should listen on. This sets the default port number on n4u.server.tcp-port and n4u.server.udp-port. If an NCP port is passed using the -b option, then it is assumed to be the default port and the TCP and UDP parameters are updated accordingly. NOTE: -b and -B are exclusively used.
-b port to bind
Specifies the port number along with the IP address or interface. For example: -B interface1 -B eth0@524 @port1, interface2 or @port2,... -B 100.1.1.2@524 NOTE: -b and -B are mutually exclusive.
--configfile configurat ion file -P <LDAP URL(s)>
Specify the absolute path and file name to store the nds.conf configuration file. For example, to store the configuration file in the /etc/opt/novell/eDirectory/ directory, enter --config-file /etc/opt/novell/eDirectory/ nds.conf. Allows the LDAP URLs to configure the LDAP interface on the LDAP Server object. For example: -P ldap://1.2.3.4:1389,ldaps://1.2.3.4:1636
Creates the data, dib, and log directories in the path mentioned. -D path_for_d ata
set valuelist
Sets the value for the specified eDirectory configurable parameters. It is used to set the bootstrapping parameters before configuring a tree. When configuration parameters are changed, ndsd needs to be restarted for the new value to take effect. However, for some configuration parameters, ndsd need not be restarted. These parameters are listed below:
n4u.nds.inactivity-synchronization-interval n4u.nds.synchronization-restrictions n4u.nds.janitor-interval n4u.nds.backlink-interval n4u.nds.drl-interval n4u.nds.flatcleaning-interval n4u.nds.server-state-up-threshold n4u.nds.heartbeat-schema n4u.nds.heartbeat-data

get help paramlist set valuelist
Use to view the help strings for the specified eDirectory configurable parameters. If the parameter list is not specified, ndsconfig lists the help strings for all the eDirectory configurable parameters. Sets the value for the specified eDirectory configurable parameters. It is used to set the bootstrapping parameters before configuring a tree. When configuration parameters are changed, ndsd needs to be restarted for the new value to take effect.
30
ndsconfig Parameter
Description Use to view the current value of the specified eDirectory configurable parameters. If the parameter list is not specified, ndsconfig lists all the eDirectory configurable parameters.
get paramlist
1.6.5
Using ndsconfig to Configure Multiple Instances of eDirectory 8.8

YoucanconfiguremultipleinstancesofeDirectory8.8onasinglehost.Forconceptualinformation onmultipleinstances,seeMultipleInstancesintheNovelleDirectory8.8SP7What'sNew Guide. Themethodtoconfiguremultipleinstanceissimilartoconfiguringasingleinstancemultipletimes. Eachinstanceshouldhaveuniqueinstanceidentifiers,suchasthefollowing: Differentdataandlogfilelocation Youcanusethendsconfig--config-file,-d,and-Doptionstodothis. Uniqueportnumberfortheinstancetolistento Youcanusethendsconfig-band-Boptionstodothis. Uniqueservernamefortheinstance Youcanusethendsconfig-S server nameoptiontodothis. IMPORTANT:DuringeDirectoryconfiguration,thedefaultNCPservernameissetasthehost servername.Whenconfiguringmultipleinstances,youmustchangeNCPservername.Usethe ndsconfigcommandlineoption,-S <server_name>tospecifyadifferentservername. Whenconfiguringmultipleinstances,eitheronthesametreeorondifferenttrees,theNCP servernameshouldbeunique. NOTE:Alltheinstancessharethesameserverkey(NICI). Youcanalsocreateanewinstanceusingthendsmanageutility.Formoreinformation,seeCreating anInstancethroughndsmanageonpage 32. Tolistalltheinstancesonaspecifichostanddootheroperationsonthem,youcanusethe ndsmanageutility. IMPORTANT:Theinstall_location/etc/opt/novell/eDirectory/confdirectorycontains someofthecriticalconfigurationinformationusedfortrackingandmanagingtheeDirectory instancesrunningonyourserver.Donotremoveanycontentsfromthisdirectory. Thissectionsexplainsthefollowing: ThendsmanageUtilityonpage 32 ListingtheInstancesonpage 32 CreatinganInstancethroughndsmanageonpage 32 PerformingOperationsforaSpecificInstanceonpage 33
31
The ndsmanage Utility

Thendsmanageutilityenablesyoutodothefollowing: Listtheinstancesconfigured Createanewinstance Dothefollowingforaselectedinstance: Listthereplicasontheserver Starttheinstance Stoptheinstance RunDSTracefortheinstance Deconfiguretheinstance StartandStopallinstances
Listing the Instances

ThefollowingtabledescribeshowtolisttheeDirectoryinstances.
Table 1-1 ndsmanageUsageforListingtheInstances
Syntax
Description Lists all the instances configured by you. List instances of all the users who are using a particular installation of eDirectory. List the instances configured by a specific user
ndsmanage ndsmanage -a|-all ndsmanage username
Thefollowingfieldsaredisplayedforeveryinstance: Configurationfilepath Serverfullydistinguishedname(FDN)andport Status(whethertheinstanceisactiveorinactive) NOTE:Thisutilitylistsalltheinstancesconfiguredforasinglebinary. RefertoFigure11onpage 33formoreinformation.
Creating an Instance through ndsmanage

Tocreateanewinstancethroughndsmanage:
1 Enterthefollowingcommand: ndsmanage
Ifyouhavetwoinstancesconfigured,thefollowingscreenisdisplayed:
32
Figure 1-1 ndsmanageUtilityOutputScreen
2 Enterctocreateanewinstance.
Youcaneithercreateanewtreeoraddaservertoanexistingtree.Followtheinstructionsonthe screentocreateanewinstance.
Performing Operations for a Specific Instance

Youcanperformthefollowingoperationsforeveryinstance: StartingaSpecificInstanceonpage 33 StoppingaSpecificInstanceonpage 34 DeconfiguringanInstanceonpage 34 Otherthantheoneslistedabove,youcanalsorunDSTraceforaselectedinstance.
Starting a Specific Instance

Tostartaninstanceconfiguredbyyou,dothefollowing:
1 Enterthefollowing: ndsmanage 2 Selecttheinstanceyouwanttostart.
Themenuexpandstoincludetheoptionsyoucanperformonaspecificinstance.
33
Figure 1-2 ndsmanageUtilityOutputScreenwithInstanceOptions
3 Enterstostarttheinstance.
Alternatively,youcanalsoenterthefollowingatthecommandprompt:
ndsmanage start --config-file configuration_file_of_the_instance_configured_by_you
Stopping a Specific Instance

Tostopaninstanceconfiguredbyyou,dothefollowing:
1 Enterthefollowing: ndsmanage 2 Selecttheinstanceyouwanttostop.
Themenuexpandstoincludetheoptionsyoucanperformonaspecificinstance.Formore information,refertoFigure 12,ndsmanageUtilityOutputScreenwithInstanceOptions,on page 34.

3 Enterktostoptheinstance.
Alternatively,youcanalsoenterthefollowingatthecommandprompt:
ndsmanage stop --config-file configuration_file_of_the_instance_configured_by_you
Deconfiguring an Instance
Todeconfigureaninstance,dothefollowing:
1 Enterthefollowing: ndsmanage 2 Selecttheinstanceyouwanttodeconfigure.
Themenuexpandstoincludetheoptionsyoucanperformonaspecificinstance.Formore information,refertoFigure 12,ndsmanageUtilityOutputScreenwithInstanceOptions,on page 34.

3 Enterdtodeconfiguretheinstance.
34
Starting and Stopping All Instances

Youcanstartandstopalltheinstancesconfiguredbyyou.
Starting all the Instances

Tostartalltheinstancesconfiguredbyyou,enterthefollowingatthecommandprompt:
ndsmanage startall
Tostartaspecificinstance,refertoStartingaSpecificInstanceonpage 33.
Stopping All Instances

Tostopalltheinstancesconfiguredbyyou,enterthefollowingatthecommandprompt:
ndsmanage stopall
Tostopaspecificinstance,refertoStoppingaSpecificInstanceonpage 34.
Example
Marywantstoconfigure2treesonasinglehostmachine.
Planning the Setup

Maryspecifiesthefollowinginstanceidentifiers. Instance1:
Port number the instance should listen on Configuration file path 1524
/home/maryinst1/nds.conf /home/mary/inst1/var
var directory
Instance2:
Port number the instance should listen on Configuration file path 2524
/home/mary/inst2/nds.conf /home/mary/inst2/var
var directory
Configuring the Instances

Toconfiguretheinstancesbasedontheabovementionedinstanceidentifiers,Marymustenterthe followingcommands. Instance1:
ndsconfig new -t mytree -n o=novell -a cn=admin.o=company -b 1524 -D /home/mary/inst1/var --config-file /home/mary/inst1/nds.conf
Instance2:
ndsconfig new -t corptree -n o=novell -a cn=admin.o=company -b 2524 -D /home/mary/inst2/var --config-file /home/mary/inst2/nds.conf
35
NOTE:OnUNIX/Linux,OSrestrictssocketscreationonthemountedfilesystem.With eDirectory,itisrecommendedtohavethevardirectoryonthelocalfilesystem(-Doptionwith ndsconfig)andtheDIBdirectorycanbeofanyfilesystem(-doptionwithndsconfig).
Invoking a Utility for an Instance

IfMarywantstoruntheDSTraceutilityforinstance1thatislisteningonport1524,withits configurationfilein/home/mary/inst1/nds.conflocationanditsDIBfilelocatedin/home/mary/ inst1/var,thenshecanruntheutilityasfollows:
ndstrace --config-file /home/mary/inst1/nds.conf
or
ndstrace -h 164.99.146.109:1524
IfMarydoesnotspecifytheinstanceidentifiers,theutilitydisplaysalltheinstancesownedbyMary andpromptshertoselectaninstance.
Listing the Instances

IfMarywantstoknowdetailsabouttheinstancesinthehost,shecanrunthendsmanageutility. TodisplayallinstancesownedbyMary:
ndsmanage
TodisplayallinstancesownedbyJohn(usernameisjohn):
ndsmanage john
TodisplayallinstancesofallusersthatareusingaparticularinstallationofeDirectory:
ndsmanage -a
1.6.6
Using ndsconfig to Install a Linux Server into a Tree with Dotted Name Containers
YoucanusendsconfigtoinstallaLinuxserverintoaneDirectorytreethathascontainersusing dottednames(forexample,novell.com). Becausendsconfigisacommandlineutility,usingcontainerswithdottednamesrequiresthatthose dotsbeescapedout,andtheparameterscontainingthesecontextsmustbeenclosedindouble quotes.Forexample,toinstallaneweDirectorytreeonaLinuxserverusingO=novell.comasthe nameoftheO,usethefollowingcommand:
ndsconfig new -a 'admin.novell.com' -t novell_tree -n 'OU=servers.O=novell.com'
TheAdminnameandcontextandtheservercontextparametersareenclosedindoublequotes,and onlythedot(.)innovell.comisescapedusingthe\(backslash)character. Youcanalsousethisformatwheninstallingaserverintoanexistingtree. NOTE:Youshouldusethisformatwhenenteringdottedadminnameandcontextwhileusing utilitiessuchasDSRepair,Backup,DSMerge,DSLogin,andldapconfig.
36
1.6.7
Using the nmasinst Utility to Configure NMAS

FromeDirectory8.7.3onwards,bydefault,ndsconfigconfiguresNMAS.Youcanalsousenmasinst onLinux,Solaris,andAIXsystemstoconfigureNMAS. ndsconfigonlyconfiguresNMASanddoesnotinstalltheloginmethods.Toinstalltheselogin methods,youcanusenmasinst. IMPORTANT:YoumustconfigureeDirectorywithndsconfigbeforeyouinstalltheNMASlogin methods.Youmustalsohaveadministrativerightstothetree. ConfiguringNMASonpage 37 InstallingLoginMethodsonpage 37
Configuring NMAS
Bydefault,ndsconfigconfiguresNMAS.Youcanalsousenmasinstforthesame. ToconfigureNMASandcreateNMASobjectsineDirectory,enterthefollowingattheserverconsole commandline:
nmasinst -i admin.context tree_name
nmasinstwillpromptyouforapassword. ThiscommandcreatestheobjectsintheSecuritycontainerthatNMASneeds,andinstallstheLDAP extensionsforNMASontheLDAPServerobjectineDirectory. ThefirsttimeNMASisinstalledinatree,itmustbeinstalledbyauserwithenoughrightstocreate objectsintheSecuritycontainer.However,subsequentinstallscanbedonebycontainer administratorswithreadonlyrightstotheSecuritycontainer.nmasinstwillverifythattheNMAS objectsexistintheSecuritycontainerbeforeittriestocreatethem. nmasinstdoesnotextendtheschema.TheNMASschemaisinstalledaspartofthebaseeDirectory schema.
Installing Login Methods

Toinstallloginmethodsusingnmasinst,enterthefollowingattheserverconsolecommandline:
nmasinst -addmethod admin.context tree_name config.txt_path
Thelastparameterspecifiestheconfig.txtfilefortheloginmethodthatistobeinstalled.A config.txtfileisprovidedwitheachloginmethod. Hereisanexampleofthe-addmethodcommand:

nmasinst -addmethod admin.novell MY_TREE ./nmas-methods/novell/Simple Password/ config.txt
Iftheloginmethodalreadyexists,nmasinstwillupdateit. Formoreinformation,seeManagingLoginandPostLoginMethodsandSequences(http:// www.novell.com/documentation/nmas33/admin/data/a53vj9a.html)intheNovellModular AuthenticationServices3.3AdministrationGuide.
37
1.6.8
Nonroot user SNMP configuration

NICIandNOVLsubagshouldbeinstalledasrootuser. 1 RootUserInstallingNICI.RefertoRootUserInstallingNICIonpage 23 2 RootUserInstallingNOVLsubag.
ToinstallNOVLsubag,completethefollowingprocedure: Enterthefollowingcommand:
rpm -ivh --nodeps NOVLsubag_rpm_file_name_with_path
Forexample:
rpm -ivh --nodeps novell-NOVLsubag-8.8.1-5.i386.rpm 3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariables. For32bit
export LD_LIBRARY_PATH=custom_location/opt/novell/ eDirectory/lib:custom_location/opt/novell/lib:/opt/novell/lib:/ opt/novell/eDirectory/lib:$LD_LIBRARY_PATH
For64bit
export LD_LIBRARY_PATH=custom_location/opt/novell/eDirectory/lib64:/opt/ novell/eDirectory/lib64/nds-modules:/opt/novell/lib64:$LD_LIBRARY_PATH export PATH=/opt/novell/eDirectory/bin:$PATH
export MANPATH=/opt/novell/man:$MANPATH
38
Installing or Upgrading Novell eDirectory on Solaris
UsethefollowinginformationtoinstallorupgradeNovelleDirectory8.8onaSolarisserver: Section 2.1,SystemRequirements,onpage 39 Section 2.2,Prerequisites,onpage 40 Section 2.3,HardwareRequirements,onpage 41 Section 2.4,ForcingtheBacklinkProcesstoRun,onpage 42 Section 2.5,UpgradingeDirectory,onpage 42 Section 2.6,InstallingeDirectory,onpage 43
2.1
System Requirements
YoumustinstalleDirectoryononeofthefollowingplatforms. Fora32biteDirectoryinstallation: Solaris10onSunSPARC Fora64biteDirectoryinstallation: Solaris10onSunSPARC Solaris10Zones(SmallZoneandBigZone) NOTE:InstallationonSolaris10ZonesissupportedoneDirectory8.8SP5orlater.Regardlessof thetypeofazone,eithera32biteDirectoryora64biteDirectorycanbeinstalledineachofthe zonespresentinasystem.InazoneonlyonetypeofeDirectoryshouldbeinstalled. Updateyoursystemwiththefollowinglibumempatches: SunOS5.10:libumemlibrarypatchforSolaris10onSPARC PatchId12192102 NOTE:AlllatestrecommendedsetofpatchesareavailableontheMyOracleSupport*Web page(https://support.oracle.com).Ifyoudonotupdateyoursystemwiththelatestpatches beforeinstallingeDirectory,youwillgetthepatchadderror. eDirectoryalsorequiresthefollowing: Aminimumof512MBRAM 184MBofdiskspacefortheeDirectoryserver
39
43MBofdiskspacefortheeDirectoryadministrationutilities 150MBofdiskspaceforevery50,000users
2.2
Prerequisites
IMPORTANT:CheckthecurrentlyinstalledNovellandThirdPartyapplicationstodetermineif eDirectory8.8issupportedbeforeupgradingyourexistingeDirectoryenvironment.Youcanfindout thecurrentstatusforNovellproductsinTID7003446(http://www.novell.com/support/kb/ doc.php?id=7003446).YouarehighlyrecommendedtobackupeDirectorybeforeanyupgrades.
(Conditional)NICI2.7andeDirectory8.8supportkeysizesupto4096bits.Ifyouwanttousea
4KBkeysize,everyservermustbeupgradedtoeDirectory8.8eDirectory8.8.Inaddition,every workstationusingthemanagementutilities,forexample,iManagerandConsoleOne,musthave NICI2.7installedonit. WhenyouupgradeyourCertificateAuthority(CA)servertoeDirectory8.8,thekeysizewillnot changebutwillstillbe2KB.Theonlywaytocreatea4KBkeysizeisrecreatetheCAonan eDirectory8.8server.Inaddition,youwouldhavetochangethedefaultfrom2KBto4KBfor thekeysize,duringtheCAcreation. WhenyouinstalleDirectory,thendsinstallutilityautomaticallyinstallsNICI.Formore informationaboutinstallingeDirectory,seeSection 2.6.3,UsingthendsinstallUtilitytoInstall eDirectoryComponents,onpage 45.However,ifyouneedtoinstallonlyNICI,andnot eDirectoryitself,onaworkstationthathasthemanagementutilitiesinstalled,youmustinstall NICImanually.FormoreinformationaboutmanuallyinstallingNICI,seeInstallingNICIon page 48.ThepackagecontainingNICI2.7isnamedNOVLniu0-2.7onSolaris.
SLPshouldbeinstalledandconfigured.
WitheDirectory8.8,SLPdoesnotgetinstalledaspartoftheeDirectoryinstallation. Ifyouarearootuser,youneedtoinstallandconfigureSLPbeforeproceedingwiththe eDirectoryinstallation. Ifyouareanonrootuser,SLPshouldbeinstalledandconfiguredbeforeyouproceedwiththe eDirectoryinstallation.AnonrootusercannotinstallSLP. FormoreinformationoninstallingSLP,refertoUsingSLPwitheDirectoryonpage 44.
EnabletheSolarishostformulticastrouting.
Tocheckifthehostisenabledformulticastrouting,enterthefollowingcommand:
/bin/netstat -nr
Thefollowingentryshouldbepresentintheroutingtable:
224.0.0.0 host_IP_address
Iftheentryisnotpresent,loginasroot,andenterthefollowingcommandtoenablemulticast routing:
route add -net 224.0.0.0 -net 224.0.0.0 netmask 240.0.0.0 hme0
Formoreinformationonmulticastandbroadcastroutes,refertotheOpenSLPWebsite(http:// www.openslp.org/doc/html/UsersGuide/Installation.html).
Ifyouhavemorethanoneserverinthetree,thetimeonallthenetworkserversshouldbe
synchronized. UseNetworkTimeProtocols(NTP)xntpdtosynchronizetime.
40
ToavailallthefunctionalityofeMBoxsuchasDSMerge,youneedtoinstallthelatestSolaris
patch12March2009orlater.
user,ensurethatyouhavethefollowingrights: Supervisorrightstothecontainertheserverisbeinginstalledinto. Supervisorrightstothepartitionwhereyouwanttoaddtheserver. NOTE:Thisisrequiredforaddingthereplicawhenthereplicacountislessthan3. AllAttributesrights:read,compare,andwriterightsovertheW0.KAP.Securityobject. Entryrights:browserightsoverSecuritycontainerobject. AllAttributesrights:readandcomparerightsoverSecuritycontainerobject.
user,ensurethatatleastoneoftheserversinthetreehasthesameorhighereDirectoryversion asthatofthesecondarybeingaddedascontaineradmin.Incasethesecondarybeingaddedisof laterversion,thentheschemaneedstobeextendedbytheadminofthetreebeforeaddingthe secondaryusingcontaineradmin.
WhileconfiguringeDirectory,youmustenableSLPservicesandanNCPport(thedefaultis
524)inthefirewalltoallowthesecondaryserveraddition.Additionally,youcanenablethe followingserviceportsbasedonyourrequirements: LDAPcleartext389 LDAPsecured636 HTTPcleartext8028 HTTPsecured8030 Incase,ifyouhaveenableduserdefinedports,youmustmentiontheseportswhileconfiguring eDirectory.

2.3
HardwarerequirementsdependonthespecificimplementationofeDirectory.Twofactorsincrease performance:morecachememoryandfasterprocessors.Forbestresults,cacheasmuchoftheDIB Setasthehardwareallows. eDirectoryscaleswellonasingleprocessor.However,NovelleDirectory8.8takesadvantageof multipleprocessors.Addingprocessorsimprovesperformanceinsomeareasforexample,logins andhavingmultiplethreadsactiveonmultipleprocessors.eDirectoryitselfisnotprocessor intensive,butitisI/Ointensive.
41
ThefollowingtableillustratestypicalsystemrequirementsforNovelleDirectoryforSolaris.
Objects 100,000 1 million 10 million Processor Sun* Enterprise 220 Sun Enterprise 450 Sun Enterprise 4500 with multiple processors Memory 384 MB 2 GB 2+ GB Hard Disk 144 MB 1.5 GB 15 GB
2.4

BecausetheinternaleDirectoryidentifierschangewhenupgradingtoNovelleDirectory,thebacklink processmustupdatebacklinkedobjectsforthemtobeconsistent. Backlinkskeeptrackofexternalreferencestoobjectsonotherservers.Foreachexternalreferenceon aserver,thebacklinkprocessensuresthattherealobjectexistsinthecorrectlocationandverifiesall backlinkattributesonthemasterofthereplica.Thebacklinkprocessoccurstwohoursafterthe databaseisopen,andthenevery780minutes(13hours).Theintervalisconfigurablefrom2minutes to10,080minutes(7days). AftermigratingtoeDirectory,starttheDSTraceprocessbyissuingthendstrace -l>log&command, whichrunstheprocessatthebackground.Youcanforcethebacklinktorunbyissuingthendstrace -c set ndstrace=*BcommandfromtheDSTracecommandprompt.Thenyoucanunloadthe DSTraceprocessbyissuingthendstrace -ucommand.Runningthebacklinkprocessisespecially importantonserversthatdonotcontainareplica.
2.5
IfyouhaveeDirectory8.5.xor8.6.x,youhavetofirstupgradetoeDirectory8.7xandthenupgradeto eDirectory8.8.
./nds-install
NOTE:UpgradeLUMto2.1.2ifanolderversionisinstalledonthesystem. AftertheupgradetoeDirectory8.8,thedefaultlocationoftheconfigurationfiles,datafiles,andlog filesarechangedto/etc/opt/novell/eDirectory/conf,/var/opt/novell/eDirectory/data, and/var/opt/novell/eDirectory/logrespectively. Thenewdirectory/var/opt/novell/eDirectory/datausesasymboliclinktothe/var/nds directory. Theoldconfigurationfile/etc/nds.confismigratedto/etc/opt/novell/eDirectory/conf directory.Theoldconfigurationfile /etc/nds.confisrenamedto/etc/nds.conf_pre88andthe oldlogfilesunder/var/ndsareretainedforreference. NOTE:Thendsconfig upgradecommandhastoberunafterndsinstall,ifupgradeoftheDIBfails andndsinstallaskstodoso.
42
NOTE:Healthcheckfailsduetotimesync.Toresolvethisissue,performatimesyncbetweenthe instances.Youcanignorethiswarningmessageduringupgrade.
2.5.1

ForinformationonUpgradingMultipleInstances,refertoSection 1.5.7,UpgradingMultiple Instances,onpage 18intheLinuxchapter.
2.5.2

ForinformationonupgradingthetarballdeploymentofeDirectory8.8,refertoSection 1.5.6, UpgradingtheTarballDeploymentofeDirectory8.8,onpage 16intheLinuxchapter.
2.6
ThefollowingsectionsprovideinformationaboutinstallingNovelleDirectoryonSolaris: Section 2.6.1,ServerHealthChecks,onpage 43 Section 2.6.2,UsingSLPwitheDirectory,onpage 44 Section 2.6.3,UsingthendsinstallUtilitytoInstalleDirectoryComponents,onpage 45 Section 2.6.4,NonrootUserInstallingeDirectory8.8,onpage 47 Section 2.6.5,InstallingeDirectory8.8onSolaris10Zones,onpage 50 Section 2.6.6,UsingthendsconfigUtilitytoAddorRemovetheeDirectoryReplicaServer,on page 51 Section 2.6.7,UsingndsconfigtoConfigureMultipleInstancesofeDirectory8.8,onpage 53 Section 2.6.8,UsingndsconfigtoInstallaSolarisServerintoaTreewithDottedName Containers,onpage 53 Section 2.6.9,UsingthenmasinstUtilitytoConfigureNMAS,onpage 54 Section 2.6.10,NonrootuserSNMPconfiguration,onpage 55
2.6.1

WitheDirectory8.8,whenyouupgradeorinstalleDirectory,twoserverhealthchecksareconducted bydefaulttoensurethattheserverissafefortheupgrade. Section B.3.1,BasicServerHealth,onpage 152 Section B.3.2,PartitionsandReplicaHealth,onpage 153 Basedontheresultsobtainedfromthehealthchecks,theupgradewilleithercontinueorexitas follows: Ifallthehealthchecksaresuccessful,theupgradewillcontinue. Ifthereareminorerrors,theupgradewillpromptyoutocontinueorexit. Iftherearecriticalerrors,theupgradewillexit. SeeAppendix B,eDirectoryHealthChecks,onpage 151foralistofminorandcriticalerror conditions.
43

Toskipserverhealthchecks,usends-install -jorndsconfig upgrade -j. Formoreinformation,seeAppendix B,eDirectoryHealthChecks,onpage 151.
2.6.2

InearlierreleasesofeDirectory,SLPwasinstalledduringtheeDirectoryinstall.ButwitheDirectory 8.8,youneedtoseparatelyinstallSLPbeforeproceedingwiththeeDirectoryinstall. IfyouplantouseSLPtoresolvetreenames,itshouldhavebeenproperlyconfiguredandSLPDAs shouldbestable.
1 ToinstallSLP,enterthefollowing: pkgadd -d filename_and_absolute_path_of_NDSslp.pkg
TheSLPpackageispresentinthesetupdirectoryinthebuild.Forexample,ifyouhavethebuild inthe /home/builddirectory,enterthefollowingcommand:

pkgadd -d /home/build/Solaris/Solaris/setup/NDSslp.pkg 2 FollowtheonscreeninstructionstocompleteSLPinstallation. 3 StartSLP.
Ifyoudontwantto(orcannot)useSLP,youcanusetheflatfilehosts.ndstoresolvetreenamesto serverreferrals.Thehosts.ndsfilecanbeusedtoavoidSLPmulticastdelayswhenaSLPDAisnot presentinthenetwork.hosts.ndsisastaticlookuptableusedbyeDirectoryapplicationstosearch eDirectorypartitionandservers.Formoreinformationonhosts.nds,refertoUsingSLPwith eDirectoryonpage 19andthehosts.ndsmanpage. IfyoudecidetouseSLPtoresolvethetreenametodetermineiftheeDirectorytreeisadvertised, aftereDirectoryandSLPareinstalled,enterthefollowing:

/usr/bin/slpinfo -s "ndap.novell///(svcname-ws==[treename or *])"
/usr/bin/slpinfo -s "ndap.novell///(svcname-ws==SAMPLE_TREE)/"
44
2.6.3

UsethendsinstallutilitytoinstalleDirectorycomponentsonSolarissystems.Thisutilityislocated intheSetupdirectoryontheCDfortheSolarisplatform.Theutilityaddstherequiredpackages basedonwhatcomponentsyouchoosetoinstall. Anonrootusercaninstallusingonlytarballs.Formoreinformation,refertoSection 2.6.4,Nonroot UserInstallingeDirectory8.8,onpage 47.
1 Enterthefollowingcommandfromthesetupdirectory: ./nds-install
ToinstalleDirectorycomponents,usethefollowingsyntax:
nds-install [-h] [-i] [-j] [-u]

nds-install Parameter Description Displays help for nds-install. Prevents the nds-install script from invoking the ndsconfig upgrade command if a DIB is detected at the time of the upgrade. Jumps or overrides the health check option before installing eDirectory. For more information about health checks, refer to Appendix B, eDirectory Health Checks, on page 151. Specifies the module name to configure. While configuring a new tree, you can configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and Novell SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed. Specifies the option to use an unattended install mode.
-h -i -j
-m
-u
TheinstallationprogramproceedstoaddtheappropriateRPMsorpackagesintotheSolaris system.ThefollowingtableliststhepackagesinstalledforeacheDirectorycomponent.
45
eDirectory Component Packages Installed eDirectory Server
Description The eDirectory replica server is installed on the specified server.
NDSbase NDScommon NDSmasv NDSserv NDSimon NDSrepair NDSdexvnt NOVLsubag NOVLsnmp NOVLpkit NOVLpkis NOVLpkia NOVLembox NOVLlmgnt NOVLxis NLDAPsdk NLDAPbase NOVLsas NOVLntls NOVLnmas NOVLldif2dib NOVLncp
Administration Utilities
NOVLice NDSbase NLDAPbase NLDAPsdk NOVLpkia NOVLxis NOVLlmgnt
The Novell Import Conversion Export and LDAP Tools administration utilities are installed on the specified workstation.
Youwillbepromptedtoenterthecompletepathtothelicensefileonlyiftheinstallation programcannotlocatethefileinthedefaultlocation.Thedefaultlocationisthe/vardirectory, themountedlicensediskette,orthecurrentdirectory. Ifthepathyouenteredisnotvalid,youwillbepromptedtoenterthecorrectpath. YoucanusethendsconfigutilitytoconfigureeDirectoryServerafterinstallation.
46
NovellModularAuthenticationService(NMAS)isinstalledaspartoftheservercomponent.By default,ndsconfigconfiguresNMAS.Bydefault,ndsconfigconfiguresNMAS.Youcanalsouse thenmasinstutilitytoconfigureNMASserverafterinstallation.Thismustbedoneafter configuringeDirectorywithndsconfig. Formoreinformationonthendsconfigutility,seeThendsconfigUtilityonpage 101. Formoreinformationonthenmasinstutility,seeUsingthenmasinstUtilitytoConfigure NMASonpage 54.

exportthemasfollows: Manuallyexporttheenvironmentvariables 32bit:exportLD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/ eDirectory/lib/nds-modules:/opt/novell/lib:$LD_LIBRARY_PATH 64bit:export LD_LIBRARY_PATH=/opt/novell/eDirectory/lib/sparcv9:/opt/ novell/eDirectory/lib/sparcv9/nds-modules:/opt/novell/lib/ sparcv9:$LD_LIBRARY_PATH

export PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH export MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR
Usethendspathscripttoexporttheenvironmentvariables Ifyoudonotwanttoexportthepathsmanually,youcanusethe/opt/novell/ eDirectory/bin/ndspathscriptasfollows: Prefixthendspathscripttotheutilityandruntheutilityyouwantasfollows:

Afterenteringtheabovecommand,runtheutilitiesasyouwouldnormallydo. Callthescriptinyourprofile,bashrc,orsimilarscripts.Therefore,wheneveryoulogin oropenanewshell,youcanstartusingtheutilitiesdirectly. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
2.6.4

Prerequisites
IfyouwanttouseSLPandSNMP,ensurethattheyareinstalledbytherootuser.
47
WriterightstothedirectorywhereyouwanttoinstalleDirectory.
Installing NICI
NICIshouldbeinstalledbeforeyouproceedwiththeeDirectoryinstallation.Becausetherequired NICIpackagesareusedsystemwide,werecommendyouusetherootusertoinstallthenecessary packages.However,ifnecessaryyoucandelegateaccesstoadifferentaccountusingsudoanduse thataccounttoinstalltheNICIpackages.

ToinstallNICI,enteroneofthefollowingcommands: 32bit:pkgadd -d NICI_package_absolute_path_and_filename NOVLniu0 Forexample:
pkgadd -d /home/build/Solaris/Solaris/setup/NOVLniu0.pkg NOVLniu0
64bit:pkgadd -d NICI_package_absolute_path_and_filename NOVLniu64 Forexample:

pkgadd -d /home/build/Solaris/Solaris/setup/NOVLniu64.pkg NOVLniu64

NOTE:Thereisnospacebetweenviandsudointhecommand.
3 Makeanentrywiththefollowinginformation: Username hostname=(root) NOPASSWD: /usr/sbin/pkgadd
Forexample,toenablejohntorun/usr/sbin/pkgaddasrootonthehostnamesol2,type thefollowing:
john sol-2=(root) NOPASSWD: /usr/sbin/pkgadd
Anonrootuser(john,intheexample)needstodothefollowingtoinstallNICI:
1 Loginasjohnandexecutethefollowingcommand:
48
sudo pkgadd -d absolute_path_of_the_NICI_package NOVLniu0
Forexample:
sudo pkgadd -d /home/build/Solaris/Solaris/setup/NOVLniu0.pkg NOVLniu0 2 Executethefollowingscript: sudo /var/opt/novell/nici/set_server_mode
1 GotothedirectorywhereyouwanttoinstalleDirectory. 2 Untarthetarfileasfollows: tar xvf /tar_file_name 3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariables 32bit:export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/ eDirectory/lib:custom_location/eDirectory/opt/novell/eDirectory/lib/ndsmodules:custom_location/eDirectory/opt/novell/lib:/opt/novell/lib:/opt/novell/ eDirectory/lib:$LD_LIBRARY_PATH 64bit:export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/ eDirectory/lib/sparcv9:custom_location/eDirectory/opt/novell/eDirectory/lib/ sparcv9/nds-modules:custom_location/eDirectory/opt/novell/lib/sparcv9:/opt/novell/ lib/sparcv9:/opt/novell/eDirectory/lib/sparcv9:$LD_LIBRARY_PATH
export PATH=custom_location/eDirectory/opt/novell/eDirectory/ bin:custom_location/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/ eDirectory/bin:$PATH export MANPATH=custom_location/eDirectory/opt/novell/man:custom_location/ eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/ share/locale:$TEXTDOMAINDIR
Usethendspathscripttoexporttheenvironmentvariables Prefixthendspathscripttotheutilityifyoudonotwanttoexportthepathsmanually. Runtheutilityyouwantasfollows:

NOTE:Ensurethatyouentertheabovecommandsfromthecustom_location/ eDirectory/optdirectory. Afterenteringtheabovecommand,runtheutilitiesasyouwouldnormallydo. Callthescriptinyourprofile,bashrc,orsimilarscripts.Therefore,wheneveryoulogin oropenanewshell,youcanstartusingtheutilitiesdirectly.

49
ndsconfig new -t treename -n server_context -a admin_FDN [-i] [-S server_name] [-d path_for_dib] [-m module] [e] [-L ldap_port] [-l SSL_port] [-o http_port] -O https_port] [-b port_to_bind] [-B interface1@port1, interface2@port2,..] [-D custom_location] [--config-file configuration_file]
Forexample:
Theportnumbersyouenterneedtobeintherange1024to65535.Portnumberslesserthan 1024arenormallyreservedforthesuperuserandstandardapplications.Therefore,you cannotassumethedefaultport524foranyeDirectoryapplications. Thismightcausethefollowingapplicationstobreak: Theapplicationsthatdonthaveanoptiontospecifythetargetserverport. TheolderapplicationsthatuseNCP,andarerunasrootfor524. Usethendsmanageutilitytoconfigureanewinstance.Formoreinformation,refertothe CreatinganInstancethroughndsmanageonpage 32. Followtheonscreeninstructionstocompletetheconfiguration. Formoreinformation,seeSection 2.6.6,UsingthendsconfigUtilitytoAddorRemovethe eDirectoryReplicaServer,onpage 51. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
2.6.5
Installing eDirectory 8.8 on Solaris 10 Zones

eDirectory8.8SP5orlaterversionscanbeinstalledonSolaris*10Zones.
An Introduction to Zones
AzoneisavirtualinstanceofSolaris.Itisalsooneofthesoftwarepartitionsoftheoperatingsystem. AlargeSunFireserverwithhardwaredomainsallowsthecreationofseveralisolatedsystems.Itis easytomoveindividualCPUsbetweenthezonesasneeded,ortoconfigurethesharingofCPUsand memory.
Types of Zones
Therearetwotypesofzones,aglobalzoneandanonglobalzone.
50
Global Zone
TheglobalzoneistheoriginalSolarisOSinstance,whichhasaccesstothephysicalhardwareandcan controlalltheprocesses.Globalzonescreatenonglobalzonesthatareauthorizedtocreateand controlnewzonesinwhichtheapplicationsrun.
Non-Global Zone
Anonglobalzoneisalignedwiththeglobalzones,butdoesnotruninsidethem.Globalzonescan monitortheconfigurationofthenonglobalzonesandcontrolthem.Youcanchoosetwogeneral nonglobalzonetypesduringthezonecreation,aSmallZoneandaBigZone.
Small Zone (Sparse Root Zone)

Asmallzoneisthedefaultzonethatconsumestheleastdiskspace.Itishighperformingandhighly secure. NOTE:BeforeinstallingeDirectoryonasmallzone,NICIshouldbeinstalledontheglobalzone.For informationoninstallingNICI,refertoInstallingNICIonpage 23
Big Zone (Whole Root Zone)

Abigzonehasitsown/usrfiles,whichcanbemodifiedindependently. FormoreinformationonSolaris*Zonesrefertothefollowinglinks: InformationonZones(http://www.solarisinternals.com/wiki/index.php/Zones#Zones) InformationontheSolarisOperatingSystem(http://www.oracle.com/us/products/serversstorage/ solaris/overview/index.html)
Installing eDirectory 8.8 on a Global or Non-Global Zone

UsethendsinstallutilitytoinstalleDirectorycomponentsonaSolaris*10Zonessystem.Thisutility ispresentinthesetupdirectory,intheCDprovidedforeDirectoryinstallationonaSolarisplatform. Thisutilityaddstherequiredpackages,basedonthecomponentsyouchoosetoinstall. Torunthendsinstallutility,enterthefollowingcommandfromthesetupdirectory:
./nds-install
Afterinstallation,usethendsconfigutilityforconfiguringtheeDirectoryinstalledontheSolaris*10 Zonessystem.FormoreinformationonthendsconfigutilityrefertotheNovellDocumentation Website(http://www.novell.com/documentation/edir88/edirin88/data/a7f5t0z.html#a7f7ods)
2.6.6
YoumusthaveAdministratorrightstousethendsconfigutility.Whenthisutilityisusedwith arguments,itvalidatesallargumentsandpromptsforthepasswordoftheuserhaving Administratorrights.Iftheutilityisusedwithoutarguments,ndsconfigdisplaysadescriptionofthe
51
utilityandavailableoptions.ThisutilitycanalsobeusedtoremovetheeDirectoryReplicaServer andchangethecurrentconfigurationofeDirectoryServer.Formoreinformation,seeThendsconfig Utilityonpage 101.

Creating a New Tree

ndsconfig new -t treename -n server context -a admin FDN [-i] [-S server name] [-d path for dib] [-m module] [e] [-L ldap port] [-l SSL port] [-o http port] -O https port] [-b port to bind] [-B interface1@port1, interface2@port2,..] [-D custom_location] [--config-file configuration_file]
Anewtreeisinstalledwiththespecifiedtreenameandcontext. Thereisalimitationonthenumberofcharactersinthetree_name,admin FDNandserver FDN variables.Themaximumnumberofcharactersallowedforthesevariablesisasfollows: tree_name:32characters admin FDN:255characters server FDN:255characters Iftheparametersarenotspecifiedinthecommandline,ndsconfigpromptsyoutoentervaluesfor eachofthemissingparameters. Or,youcanalsousethefollowingsyntax:
ndsconfig def -t treename -n server context -a admin FDN [-i] [-S server name] [-d path for dib] [-m module] [-e] [-L ldap port] [-l SSL port] [-o http port] -O https port] [-D custom_location] [--config-file configuration_file]


ndsconfig add -t treename -n server context -a admin FDN [-e] [-L ldap port] [-l SSL port] [-o http port] -O https port] [-S server name] [-d path for dib] [-p IP address:port] [-m module] [-b port to bind] [-B interface1@port1, interface2@port2,..] [-D custom_location] [--config-file configuration_file] [-E]
Aserverisaddedtoanexistingtreeinthespecifiedcontext.Ifthecontextthattheuserwantstoadd theServerobjecttodoesnotexist,ndsconfigcreatesthecontextandaddstheserver.
52
LDAPandsecurityservicescanalsobeaddedaftereDirectoryhasbeeninstalledintotheexisting tree. Forexample,toaddaserverintoanexistingtree,youcouldenterthefollowingcommand:

Removing a Server Object and Directory Services from a Tree

ndsconfig rm -a admin FDN
eDirectoryanditsdatabaseareremovedfromtheserver. NOTE:TheHTMLfilescreatedusingiMonitorwillnotberemoved.Youmustmanuallyremove thesefilesfrom/var/opt/novell/eDirectory/data/dsreportsbeforeremovingeDirectory. Forexample,toremovetheeDirectoryServerobjectanddirectoryservicesfromatree,youcould enterthefollowingcommand:


RefertondsconfigUtilityParametersonpage 28formoreinformation.
2.6.7

YoucanconfiguremultipleinstancesofeDirectory8.8onasinglehost.Forinformationonmultiple instances,refertoSection 1.6.5,UsingndsconfigtoConfigureMultipleInstancesofeDirectory8.8, onpage 31intheLinuxchapter.
2.6.8
Using ndsconfig to Install a Solaris Server into a Tree with Dotted Name Containers
YoucanusendsconfigtoinstallaSolarisserverintoaneDirectorytreethathascontainersusing dottednames(forexample,novell.com). Becausendsconfigisacommandlineutility,usingcontainerswithdottednamesrequiresthatthose dotsbeescapedout,andtheparameterscontainingthesecontextsmustbeenclosedindouble quotes.Forexample,toinstallaneweDirectorytreeonaSolarisserverusingO=novell.comasthe nameoftheO,usethefollowingcommand:
ndsconfig new -a admin.novell\.com -t novell_tree -n OU=servers.O=novell\.com
TheAdminnameandcontextandtheservercontextparametersareenclosedindoublequotes,and onlythedot(.)innovell.comisescapedusingthe\(backslash)character. Youcanalsousethisformatwheninstallingaserverintoanexistingtree.
53
NOTE:Youshouldusethisformatwhenenteringdottedadminnameandcontextwhileusing utilitiessuchasDSRepair,Backup,DSMerge,DSLogin,andldapconfig.
2.6.9

ForeDirectory8.8,bydefault,ndsconfigconfiguresNMAS.YoucanalsousenmasinstonLinux, Solaris,andAIXsystemstoconfigureNMAS. ndsconfigonlyconfiguresNMASanddoesnotinstalltheloginmethods.Toinstalltheselogin methods,youcanusenmasinst. IMPORTANT:YoumustconfigureeDirectorywithndsconfigbeforeyouinstalltheNMASlogin methods.Youmustalsohaveadministrativerightstothetree. ConfiguringNMASonpage 54 InstallingLoginMethodsonpage 54
Configuring NMAS
nmasinstwillpromptyouforapassword. ThiscommandcreatestheobjectsintheSecuritycontainerthatNMASneeds,andinstallstheLDAP extensionsforNMASontheLDAPServerobjectineDirectory. ThefirsttimeNMASisinstalledinatree,itmustbeinstalledbyauserwithenoughrightstocreate objectsintheSecuritycontainer.However,subsequentinstallscanbedonebycontainer administratorswithreadonlyrightstotheSecuritycontainer.nmasinstwillverifythattheNMAS objectsexistintheSecuritycontainerbeforeittriestocreatethem. nmasinstdoesnotextendtheschema.TheNMASschemaisinstalledaspartofthebaseeDirectory schema.


Iftheloginmethodalreadyexists,nmasinstwillupdateit.
54
Formoreinformation,seeManagingLoginandPostLoginMethodsandSequences(http:// www.novell.com/documentation/nmas33/admin/data/a53vj9a.html)intheNovellModular AuthenticationServices3.3AdministrationGuide.
2.6.10

NICIandNOVLsubagshouldbeinstalledasrootuser. 1 RootUserInstallingNICI.RefertoRootUserInstallingNICIonpage 23. 2 InstallNOVLsubagasroot. 3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariables. 32bit:exportLD_LIBRARY_PATH=custom_location/opt/novell/eDirectory/ lib:custom_location/opt/novell/lib:/opt/novell/lib:/opt/novell/eDirectory/ lib:$LD_LIBRARY_PATH 64bit:exportLD_LIBRARY_PATH=custom_location/opt/novell/ eDirectory/lib/ sparcv9:custom_location/opt/novell/lib/sparcv9:/opt/novell/lib/sparcv9:/ opt/ novell/eDirectory/lib/sparcv9:$LD_LIBRARY_PATH

export PATH=/opt/novell/eDirectory/bin:$PATH
export MANPATH=/opt/novell/man:$MANPATH
55
56
Installing or Upgrading Novell eDirectory on AIX
UsethefollowinginformationtoinstallorupgradeNovelleDirectory8.8onanAIXserver: Section 3.1,SystemRequirements,onpage 57 Section 3.2,Prerequisites,onpage 57 Section 3.3,HardwareRequirements,onpage 59 Section 3.4,ForcingtheBacklinkProcesstoRun,onpage 59 Section 3.5,UpgradingeDirectory,onpage 60 Section 3.6,InstallingeDirectory,onpage 60
3.1
System Requirements
YoucaninstalleDirectory8.8SP7(32bitinstallationonly)onserversrunningAIXVersion6.1.x. eDirectoryalsorequiresthefollowing: AllrecommendedAIXOSpatches,availableattheIBM*FixCentral(http://www933.ibm.com/ support/fixcentral/)Website Aminimumof512MBRAM 215MBofdiskspacefortheeDirectoryserver 38MBofdiskspacefortheeDirectoryadministrationutilities 150MBofdiskspaceforevery50,000users
3.2
Prerequisites
IMPORTANT:CheckthecurrentlyinstalledNovellandThirdPartyapplicationstodetermineif eDirectory8.8issupportedbeforeupgradingyourexistingeDirectoryenvironment.Youcanfindout thecurrentstatusforNovellproductsintheTID7003446(http://www.novell.com/support/kb/ doc.php?id=7003446).YouarehighlyrecommendedtobackupeDirectorybeforeanyupgrades.
EnabletheAIXhostformulticastrouting.
Seeifthemulticastroutingdaemonmroutedisrunning. Ifitisnotrunning,configureandstartthemulticastdaemonmrouted. Seethemrouted.confFilesectionintheFilesReferencebookontheAIXDocumentationWeb site(http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix.htm)foranexample configurationfile.
57
4KBkeysize,everyservermustbeupgradedtoeDirectory8.8.Inaddition,everyworkstation usingthemanagementutilities,forexample,iManagerandConsoleOne,musthaveNICI2.7 installedonit. WhenyouupgradeyourCertificateAuthority(CA)servertoeDirectory8.8,thekeysizewillnot changebutwillstillbe2KB.Theonlywaytocreatea4KBkeysizeisrecreatetheCAonan eDirectory8.8server.Inaddition,youwouldhavetochangethedefaultfrom2KBto4KBfor thekeysize,duringtheCAcreation. WhenyouinstalleDirectory,thendsinstallutilityautomaticallyinstallsNICI.Formore informationaboutinstallingeDirectory,seeSection 3.6.3,UsingthendsinstallUtilitytoInstall eDirectoryComponents,onpage 62.However,ifyouneedtoinstallonlyNICI,andnot eDirectoryitself,onaworkstationthathasthemanagementutilitiesinstalled,youmustinstall NICImanually.FormoreinformationaboutmanuallyinstallingNICI,seeInstallingNICIon page 65.ThepackagecontainingNICI2.7isnamedNOVLniu0-2.7onAIX.
Ifyouhavemorethanoneserverinthetree,thetimeonallthenetworkserversshouldbe
synchronized. UseNetworkTimeProtocols(NTP)xntpd.nlmtosynchronizetime.
user,ensurethatyouhavethefollowingrights: Supervisorrightstothecontainertheserverisbeinginstalledinto. Supervisorrightstothepartitionwhereyouwanttoaddtheserver. NOTE:Thisisrequiredforaddingthereplicawhenthereplicacountislessthan3. AllAttributesrights:read,compare,andwriterightsovertheW0.KAP.Securityobject. Entryrights:browserightsoverSecuritycontainerobject. AllAttributesrights:readandcomparerightsoverSecuritycontainerobject.
WhileconfiguringeDirectory,youmustenableSLPservicesandanNCPport(thedefaultis
524)inthefirewalltoallowthesecondaryserveraddition.Additionally,youcanenablethe followingserviceportsbasedonyourrequirements: LDAPcleartext389 LDAPsecured636 HTTPcleartext8028 HTTPsecured8030 Incase,ifyouhaveenableduserdefinedports,youmustmentiontheseportswhileconfiguring eDirectory.
58

3.3
HardwarerequirementsdependonthespecificimplementationofeDirectory. Forexample,abaseinstallationofNovelleDirectorywiththestandardschemarequiresabout74MB ofdiskspaceforevery50,000users.However,ifyouaddanewsetofattributesorcompletelyfillin everyexistingattribute,theobjectsizegrows.Theseadditionsaffectthediskspace,processor,and memoryneeded. Twofactorsincreaseperformance:morecachememoryandfasterprocessors. Forbestresults,cacheasmuchoftheDIBSetasthehardwareallows. eDirectoryscaleswellonasingleprocessor.However,eDirectory8.8takesadvantageofmultiple processors.Addingprocessorsimprovesperformanceinsomeareasforexample,loginsand havingmultiplethreadsactiveonmultipleprocessors.eDirectoryitselfisnotprocessorintensive,but itisI/Ointensive. ThefollowingtableillustratestypicalsystemrequirementsforNovelleDirectoryforAIX.
Objects 100,000 1 Million 10 Million Processor RS/6000 RS/6000 RS/6000 Memory 344 MB 2 GB 2+ GB Hard Disk 144 MB 1.5 GB 15 GB
3.4

BecausetheinternaleDirectoryidentifierschangewhenupgradingtoNovelleDirectory,thebacklink processmustupdatebacklinkedobjectsforthemtobeconsistent. Backlinkskeeptrackofexternalreferencestoobjectsonotherservers.Foreachexternalreferenceon aserver,thebacklinkprocessensuresthattherealobjectexistsinthecorrectlocationandverifiesall backlinkattributesonthemasterofthereplica.Thebacklinkprocessoccurstwohoursafterthe databaseisopen,andthenevery780minutes(13hours).Theintervalisconfigurablefrom2minutes to10,080minutes(7days). AftermigratingtoeDirectory,starttheDSTraceprocessbyissuingthendstrace -l>log&command, whichrunstheprocessatthebackground.Youcanforcethebacklinktorunbyissuingthendstrace -c set ndstrace=*BcommandfromtheDSTracecommandprompt.Thenyoucanunloadthe DSTraceprocessbyissuingthendstrace -ucommand.Runningthebacklinkprocessisespecially importantonserversthatdonotcontainareplica.
59
3.5
ToupgradetoeDirectory8.8fromeDirectory8.7,8.7.1,or8.7.3,enterthefollowing:
./nds-install
AftertheupgradetoeDirectory8.8,thedefaultlocationoftheconfigurationfiles,datafiles,andlog filesarechangedto/etc/opt/novell/eDirectory/conf,/var/opt/novell/eDirectory/data, and/var/opt/novell/eDirectory/logrespectively. Thenewdirectory/var/opt/novell/eDirectory/datausesasymboliclinktothe/var/nds directory. Theoldconfigurationfile/etc/nds.conf ismigratedto/etc/opt/novell/eDirectory/conf directory.Theoldconfigurationfile/etc/nds.confisrenamedto /etc/nds.conf_pre88andthe oldlogfilesunder/var/ndsareretainedforreference. NOTE:Thendsconfig upgradecommandhastoberunafterndsinstall,ifupgradeoftheDIBfails andndsinstallaskstodoso. NOTE:Healthcheckfailsduetotimesync.Toresolvethisissue,performatimesyncbetweenthe instances.Youcanignorethiswarningmessageduringupgrade.
3.5.1

ForinformationonUpgradingMultipleInstances,refertoSection 1.5.7,UpgradingMultiple Instances,onpage 18intheLinuxchapter.
3.5.2

ForinformationonupgradingthetarballdeploymentofeDirectory8.8,refertoSection 1.5.6, UpgradingtheTarballDeploymentofeDirectory8.8,onpage 16intheLinuxchapter.
3.6
ThefollowingsectionsprovideinformationaboutinstallingNovelleDirectoryonAIX: Section 3.6.1,ServerHealthChecks,onpage 61 Section 3.6.2,UsingSLPwitheDirectory,onpage 61 Section 3.6.3,UsingthendsinstallUtilitytoInstalleDirectoryComponents,onpage 62 Section 3.6.4,NonrootUserInstallingeDirectory8.8,onpage 64 Section 3.6.5,UsingthendsconfigUtilitytoAddorRemovetheeDirectoryReplicaServer,on page 67 Section 3.6.6,UsingndsconfigtoConfigureMultipleInstancesofeDirectory8.8,onpage 69 Section 3.6.7,UsingndsconfigtoInstallanAIXServerintoaTreewithDottedName Containers,onpage 69 Section 3.6.8,UsingthenmasinstUtilitytoConfigureNMAS,onpage 69 Section 3.6.9,NonrootuserSNMPconfiguration,onpage 70
60
3.6.1

WitheDirectory8.8,whenyouupgradeorinstalleDirectory,twoserverhealthchecksareconducted bydefaulttoensurethattheserverissafefortheupgrade. Section B.3.1,BasicServerHealth,onpage 152 Section B.3.2,PartitionsandReplicaHealth,onpage 153 Basedontheresultsobtainedfromthehealthchecks,theupgradewilleithercontinueorexitas follows: Ifallthehealthchecksaresuccessful,theupgradewillcontinue. Ifthereareminorerrors,theupgradewillpromptyoutocontinueorexit. Iftherearecriticalerrors,theupgradewillexit. SeeAppendix B,eDirectoryHealthChecks,onpage 151foralistofminorandcriticalerror conditions.

Toskipserverhealthchecks,usends-install -jorndsconfig upgrade -j. Formoreinformation,seeAppendix B,eDirectoryHealthChecks,onpage 151.
3.6.2

InearlierreleasesofeDirectory,SLPwasinstalledduringtheeDirectoryinstall.ButwitheDirectory 8.8,youneedtoseparatelyinstallSLPbeforeproceedingwiththeeDirectoryinstall. IfyouplantouseSLPtoresolvetreenames,itshouldhavebeenproperlyconfiguredandSLPDAs shouldbestable.
1 InstallSLPusingthefollowingcommand: installp -acgXd absolute_path_of_NDSslp_fileset NDS.NDSslp
TheSLPfilesetispresentinthesetupdirectoryinthebuild.Forexample,ifyouhavethebuild inthe/home/builddirectory,enterthefollowingcommand:
installp -acgXd /home/build/Aix/Aix/setup/NDS.NDSslp 2 FollowtheonscreeninstructionstocompletetheSLPinstallation. 3 StartSLP.
Ifyoudontwantto(orcannot)useSLP,youcanusetheflatfilehosts.ndstoresolvetreenamesto serverreferrals.Thehosts.ndsfilecanbeusedtoavoidSLPmulticastdelayswhenaSLPDAisnot presentinthenetwork.

hosts.ndsisastaticlookuptableusedbyeDirectoryapplicationstosearcheDirectorypartitionand servers.Thehosts.ndsfileshouldbecreatedin/etc/opt/novell/eDirectory/conf/hosts.nds or<custom_location>/etc/opt/novell/eDirectory/conf/hosts.nds.Formoreinformationon hosts.nds,refertoUsingSLPwitheDirectoryonpage 19andthehosts.ndsmanpage.
IfyoudecidetouseSLPtoresolvethetreenametodetermineiftheeDirectorytreeisadvertised, aftereDirectoryandSLPareinstalled,enterthefollowing:
/usr/bin/slpinfo -s "ndap.novell///(svcname-ws==[treename or *])"
61
/usr/bin/slpinfo -s "ndap.novell///(svcname-ws==SAMPLE_TREE)/"
3.6.3

UsethendsinstallutilitytoinstalleDirectorycomponentsonAIXsystems.Thisutilityislocatedin theSetupdirectoryontheCDfortheAIXplatform.Theutilityaddstherequiredpackagesbasedon whatcomponentsyouchoosetoinstall.
1 Enterthefollowingcommandfromthesetupdirectory: ./nds-install
ToinstalleDirectorycomponents,usethefollowingsyntax:
nds-install [-h] [-i] [-j] [-u]

nds-install Parameter Description Displays help for nds-install. Prevents the nds-install script from invoking the ndsconfig upgrade command if a DIB is detected at the time of the upgrade. Jumps or overrides the health check option before installing eDirectory. For more information about health checks, refer to Appendix B, eDirectory Health Checks, on page 151. Specifies the module name to configure. While configuring a new tree, you can configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and Novell SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed. Specifies the option to use an unattended install mode.
-h -i -j
-m
-u
Theinstallationprograminstallsthefollowingdepots:
62
eDirectory Component eDirectory Server
Packages Installed
Description The eDirectory replica server is installed on the specified server.
NDSbase NDScommon NDSmasv NDSserv NDSimon NDSrepair NDSdexvnt NOVLsubag NOVLsnmp NOVLpkit NOVLpkis NOVLpkia NOVLembox NOVLlmgnt NOVLxis NLDAPsdk NLDAPbase NOVLsas NOVLntls NOVLnmas
NOVLldif2 NOVLncp
Administration Utilities
NOVLice NDSbase NLDAPbase NLDAPsdk NOVLpkia NOVLxis NOVLlmgnt
The Novell Import Conversion Export and LDAP Tools administration utilities are installed on the specified workstation.
Youwillbepromptedtoenterthecompletepathtothelicensefileonlyiftheinstallation programcannotlocatethefileinthedefaultlocation.Thedefaultlocationisthe/vardirectory, themountedlicensediskette,orthecurrentdirectory. Ifthepathyouenteredisnotvalid,youwillbepromptedtoenterthecorrectpath. YoucanusethendsconfigutilitytoconfigureeDirectoryServerafterinstallation. NovellModularAuthenticationService(NMAS)isinstalledaspartoftheservercomponent.By defaultndsconfigconfiguresNMAS.YoucanalsousethenmasinstutilitytoconfigureNMAS serverafterinstallation.ThismustbedoneafterconfiguringeDirectorywithndsconfig.
63
Formoreinformationonthendsconfigutility,seeThendsconfigUtilityonpage 101. Formoreinformationonthenmasinstutility,seeUsingthenmasinstUtilitytoConfigure NMASonpage 69.

exportthemasfollows: Manuallyexporttheenvironmentvariables
export LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/ lib/nds-modules:/opt/novell/lib:/opt/novell/lib:/opt/novell/eDirectory/ lib:$LD_LIBRARY_PATH export LIBPATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:/ opt/novell/lib:/opt/novell/lib:/opt/novell/eDirectory/lib:$LIBPATH export PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH export MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR
Usethendspathscripttoexporttheenvironmentvariables Ifyoudonotwanttoexportthepathsmanually,youcanusethe/opt/novell/ eDirectory/bin/ndspathscriptasfollows: Prefixthendspathscripttotheutilityandruntheutilityyouwantasfollows:

Afterenteringtheabovecommand,runtheutilitiesasyouwouldnormallydo. Callthescriptinyourprofile,bashrc,orsimilarscripts.Therefore,wheneveryoulogin oropenanewshell,youcanstartusingtheutilitiesdirectly. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
3.6.4

Prerequisites
IfyouwanttouseSLPandSNMP,ensurethattheyareinstalledbytherootuser. WriterightstothedirectorywhereyouwanttoinstalleDirectory.
64
Installing NICI
NICIshouldbeinstalledbeforeyouproceedwiththeeDirectoryinstallation.Becausetherequired NICIpackagesareusedsystemwide,werecommendyouusetherootusertoinstallthenecessary packages.However,ifnecessaryyoucandelegateaccesstoadifferentaccountusingsudoanduse thataccounttoinstalltheNICIpackages.

ToinstallNICI,enterthefollowingcommand:
installp -acgXd absolute_path_of_the_NICI_fileset NOVLniu0
Forexample:
installp -acgXd /home/build/AIX/AIX/setup/NOVLniu0.2.7.0.0 NOVLniu0

NOTE:Thereisnospacebetweenviandsudointhecommand. Makeanentrywiththefollowinginformation:
Username hostname=(root) NOPASSWD: /usr/sbin/installp
Forexample,toenablejohntorun/bin/rpmasrootonthehostnameaix2,typethe following:
john aix-2=(root) NOPASSWD: /usr/sbin/installp
Anonrootuser(john,intheexample)needstodothefollowingtoinstallNICI:
1 Loginasjohnandexecutethefollowingcommand: sudo installp -acgXd absolute_path_of_the_NICI_fileset NOVLniu0
Forexample:
sudo installp -acgXd /home/build/AIX/AIX/setup/NOVLniu0.2.7.0.0 NOVLniu0 2 Executethefollowingscript: sudo /var/opt/novell/nici/set_server_mode
65
1 GotothedirectorywhereyouwanttoinstalleDirectory. 2 Untarthetarfileasfollows: tar xvfp /tar_file_name 3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariables
export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/eDirectory/ lib:custom_location/eDirectory/opt/novell/eDirectory/lib/ndsmodules:custom_location/eDirectory/opt/novell/lib:/opt/novell/lib:/opt/novell/ eDirectory/lib:$LD_LIBRARY_PATH export LIBPATH=custom_location/eDirectory/opt/novell/eDirectory/ lib:custom_location/eDirectory/opt/novell/eDirectory/lib/ndsmodules:custom_location/eDirectory/opt/novell/lib:/opt/novell/lib:/opt/novell/ eDirectory/lib:$LIBPATH export PATH=custom_location/eDirectory/opt/novell/eDirectory/bin:custom_location/ eDirectory/opt/novell/eDirectory/sbin:/opt/novell/eDirectory/bin:$PATH export MANPATH=custom_location/eDirectory/opt/novell/man:custom_location/ eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/share/ locale:$TEXTDOMAINDIR
Usethendspathscripttoexporttheenvironmentvariables Ifyoudonotwanttoexportthepathsmanually,youcanusethecustom_location/ eDirectory/opt/novell/eDirectory/bin/ndspathscriptasfollows: Prefixthendspathscripttotheutilityandruntheutilityyouwantasfollows:

Gotothecustom_location/eDirectory/opt/novell/eDirectory/bin/directory andexportthepathsinthecurrentshellasfollows:
NOTE:Ensurethatyouentertheabovecommandfromthecustom_location/ eDirectory/optdirectory. Afterenteringtheabovecommand,runtheutilitiesasyouwouldnormallydo. Callthescriptinyourprofile,bashrc,orsimilarscripts.Therefore,wheneveryoulogin oropenanewshell,youcanstartusingtheutilitiesdirectly.

ndsconfig new -t treename -n server_context -a admin_FDN [-i] [-S server_name] [-d path_for_] [-m module] [e] [-L ldap_port] [-l SSL_port] [o http_port] -O https_port] [-b port_to_bind] [-B interface1@port1, interface2@port2,..] [-D custom_location] [--config-file configuration_file]
Forexample:
66
Theportnumbersyouenterneedtobeintherange1024to65535.Portnumberslesserthan 1024arenormallyreservedforthesuperuserandstandardapplications.Therefore,you cannotassumethedefaultport524foranyeDirectoryapplications. Thismightcausethefollowingapplicationstobreak: Theapplicationsthatdonthaveanoptiontospecifythetargetserverport. TheolderapplicationsthatuseNCP,andarerunasrootfor524. Usethendsmanageutilitytoconfigureanewinstance.Formoreinformation,refertothe CreatinganInstancethroughndsmanageonpage 32. Followtheonscreeninstructionstocompletetheconfiguration. Formoreinformation,seeSection 3.6.5,UsingthendsconfigUtilitytoAddorRemovethe eDirectoryReplicaServer,onpage 67. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
3.6.5
YoumusthaveAdministratorrightstousethendsconfigutility.Whenthisutilityisusedwith arguments,itvalidatesallargumentsandpromptsforthepasswordoftheuserhaving Administratorrights.Iftheutilityisusedwithoutarguments,ndsconfigdisplaysadescriptionofthe utilityandavailableoptions.ThisutilitycanalsobeusedtoremovetheeDirectoryReplicaServer andchangethecurrentconfigurationofeDirectoryServer.Formoreinformation,seeThendsconfig Utilityonpage 101.

Creating a New Tree

ndsconfig new -t treename -n server context -a admin FDN [-i] [-S server name] [-d path for ] [-m module] [e] [-L ldap port] [-l SSL port] [-o http port] -O https port]
Anewtreeisinstalledwiththespecifiedtreenameandcontext.
67
Thereisalimitationonthenumberofcharactersinthetree_name,admin FDNandserver FDN variables.Themaximumnumberofcharactersallowedforthesevariablesisasfollows: tree_name:32characters admin FDN:255characters server FDN:255characters Iftheparametersarenotspecifiedinthecommandline,ndsconfigpromptsyoutoentervaluesfor eachofthemissingparameters. Or,youcanalsousethefollowingsyntax:
ndsconfig def -t treename -n server context -a admin FDN [-i] [-S server name] [-d path for ] [-m module] [-e] [-L ldap port] [-l SSL port] [-o http port] -O https port]


ndsconfig add -t treename -n server context -a admin FDN [-e] [-L ldap port] [-l SSL port] [-o http port] -O https port] [-S server name] [-d path for ] [-p IP address:port] [-m module] [-E]
Aserverisaddedtoanexistingtreeinthespecifiedcontext.Ifthecontextthattheuserwantstoadd theServerobjecttodoesnotexist,ndsconfigcreatesthecontextandaddstheserver. LDAPandsecurityservicescanalsobeaddedaftereDirectoryhasbeeninstalledintotheexisting tree. Forexample,toaddaserverintoanexistingtree,youcouldenterthefollowingcommand:

Removing a Server Object and Directory Services from a Tree

ndsconfig rm -a admin FDN
eDirectoryanditsdatabaseareremovedfromtheserver. NOTE:TheHTMLfilescreatedusingiMonitorwillnotberemoved.Youmustmanuallyremove thesefilesfrom /var/opt/novell/eDirectory/data/dsreportsbeforeremovingeDirectory. Forexample,toremovetheeDirectoryServerobjectanddirectoryservicesfromatree,youcould enterthefollowingcommand:

68

RefertondsconfigUtilityParametersonpage 28formoreinformation.
3.6.6

YoucanconfiguremultipleinstancesofeDirectory8.8onasinglehost.Forinformationonmultiple instances,refertoSection 1.6.5,UsingndsconfigtoConfigureMultipleInstancesofeDirectory8.8, onpage 31intheLinuxchapter.
3.6.7
Using ndsconfig to Install an AIX Server into a Tree with Dotted Name Containers
YoucanusendsconfigtoinstallanAIXserverintoaneDirectorytreethathascontainersusingdotted names(forexample,novell.com). Becausendsconfigisacommandlineutility,usingcontainerswithdottednamesrequiresthatthose dotsbeescapedout,andtheparameterscontainingthesecontextsmustbeenclosedindouble quotes.Forexample,toinstallaneweDirectorytreeonanAIXserverusingO=novell.comasthe nameoftheO,usethefollowingcommand:
ndsconfig new -a admin.novell\.com -t novell_tree -n OU=servers.O=novell\.com
TheAdminnameandcontextandtheservercontextparametersareenclosedindoublequotes,and onlythedot(.)innovell.comisescapedusingthe\(backslash)character. Youcanalsousethisformatwheninstallingaserverintoanexistingtree. NOTE:Youshouldusethisformatwhenenteringdottedadminnameandcontextwhileusing utilitiessuchasDSRepair,Backup,DSMerge,DSLogin,andldapconfig.
3.6.8

ForeDirectory8.8,bydefault,ndsconfigconfiguresNMAS.YoucanalsousenmasinstonLinux, Solaris,andAIXsystemstoconfigureNMAS. ndsconfigonlyconfiguresNMASanddoesnotinstalltheloginmethods.Toinstalltheselogin methods,youcanusenmasinst. IMPORTANT:YoumustconfigureeDirectorywithndsconfigbeforeyouinstalltheNMASlogin methods.Youmustalsohaveadministrativerightstothetree. ConfiguringNMASonpage 69 InstallingLoginMethodsonpage 70
Configuring NMAS
69
nmasinstwillpromptyouforapassword. ThiscommandcreatestheobjectsintheSecuritycontainerthatNMASneeds,andinstallstheLDAP extensionsforNMASontheLDAPServerobjectineDirectory. ThefirsttimeNMASisinstalledinatree,itmustbeinstalledbyauserwithenoughrightstocreate objectsintheSecuritycontainer.However,subsequentinstallscanbedonebycontainer administratorswiththeReadonlyrighttotheSecuritycontainer.nmasinstwillverifythattheNMAS objectsexistintheSecuritycontainerbeforeittriestocreatethem. nmasinstdoesnotextendtheschema.TheNMASschemaisinstalledaspartofthebaseeDirectory schema.


Iftheloginmethodalreadyexists,nmasinstwillupdateit. Formoreinformation,seeManagingLoginandPostLoginMethodsandSequences(http:// www.novell.com/documentation/nmas33/admin/data/a53vj9a.html)intheNovellModular AuthenticationServices3.3AdministrationGuide.
3.6.9

NICIandNOVLsubagshouldbeinstalledasrootuser. 1 RootUserInstallingNICI.RefertoRootUserInstallingNICIonpage 65. 2 InstallNOVLsubagasroot. 3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariables.
export LD_LIBRARY_PATH=custom_location/opt/novell/ eDirectory/lib:custom_location/opt/novell/lib:/opt/novell/lib:/ opt/novell/eDirectory/lib:$LD_LIBRARY_PATH export PATH=/opt/novell/eDirectory/bin:$PATH export MANPATH=/opt/novell/:$MANPATH
70
Installing or Upgrading Novell eDirectory on Windows
UsethefollowinginformationtoinstallorupgradeNovelleDirectory8.8onaWindowsplatform: Section 4.1,SystemRequirements,onpage 71 Section 4.2,Prerequisites,onpage 72 Section 4.3,HardwareRequirements,onpage 73 Section 4.4,ForcingtheBacklinkProcesstoRun,onpage 74 Section 4.5,DiskSpaceCheckonUpgradingtoeDirectorySP7orlater,onpage 74 Section 4.6,InstallingNovelleDirectoryonWindows,onpage 75 IMPORTANT:NovelleDirectory8.8letsyouinstalleDirectoryforWindowswithouttheNovell Client.IfyouinstalleDirectory8.8onamachinealreadycontainingtheNovellClient,eDirectorywill usetheexistingClient.Formoreinformation,seeInstallingorUpdatingNovelleDirectory8.8ona WindowsServeronpage 75.
4.1
System Requirements
YoumustinstalleDirectoryononeofthefollowingplatforms. Fora32biteDirectoryinstallation: 32bitWindowsServer2003EnterpriseEditionwithlatestServicePack 32bitWindowsServer2008(Standard/Enterprise/DataCenterEdition) Fora64biteDirectoryinstallation: 64bitWindowsServer2008(Standard/Enterprise/DataCenterEdition) WindowsServer2008R2(Standard/Enterprise/DataCenterEdition) IMPORTANT YoumustuseanaccountthathasadministrativerightstoinstalleDirectory8.8SP7onWindows Server2008R2. YoushouldapplythelatestavailablepatchforeDirectory. WindowsXPisnotasupportedeDirectory8.8platform. eDirectoryalsorequiresthefollowing: AnassignedIPaddress
71
AdministrativerightstotheWindowsserverandtoallportionsoftheeDirectorytreethat containdomainenabledUserobjects.Foraninstallationintoanexistingtree,youneed administrativerightstotheTreeobjectsothatyoucanextendtheschemaandcreateobjects. (Optional)Oneormoreworkstationsrunningoneofthefollowing: NovellClientforWindows2000version4.9 NovellClientforWindowsXPversion4.9 RefertotheOSrecommendedhardwarerequirementsforyourWindowsserver.
4.2
Prerequisites
IMPORTANT:CheckthecurrentlyinstalledNovellandThirdPartyapplicationstodetermineif eDirectory8.8issupportedbeforeupgradingyourexistingeDirectoryenvironment.Youcanfindout thecurrentstatusforNovellproductsintheTID7003446(http://www.novell.com/support/kb/ doc.php?id=7003446)ItisalsohighlyrecommendedtobackupeDirectorypriortoanyupgrades.
BecauseNTFSprovidesasafertransactionprocessthanaFATfilesystemprovides,youcan
installeDirectoryonlyonanNTFSpartition.Therefore,ifyouhaveonlyFATfilesystems,do oneofthefollowing: CreateanewpartitionandformatitasNTFS. UseDiskAdministrator.RefertotheWindowsServerdocumentationformoreinformation. ConvertanexistingFATfilesystemtoNTFS,usingtheCONVERTcommand. RefertotheWindowsServerdocumentationformoreinformation. IfyourserveronlyhasaFATfilesystemandyouforgetoroverlookthisprocess,theinstallation programpromptsyoutoprovideanNTFSpartition.
4KBkeysize,everyservermustbeupgradedtoeDirectory8.8.Inaddition,everyworkstation usingthemanagementutilities,forexample,iManagerandConsoleOne,musthaveNICI2.7 installedonit. WhenyouupgradeyourCertificateAuthority(CA)servertoeDirectory8.8,thekeysizewillnot changebutwillstillbe2KB.Theonlywaytocreatea4KBkeysizeisrecreatetheCAonan eDirectory8.8server.Inaddition,youwouldhavetochangethedefaultfrom2KBto4KBfor thekeysize,duringtheCAcreation. NOTE:TheWindowsSilentInstallerrequiresNICIinstalledonthesystem.
IfyouareupgradingtoeDirectory8.8,makesureyouhavethelatesteDirectorypatches
installedonallnoneDirectory8.8serversinthetree.YoucangeteDirectorypatchesfromthe NovellSupport(http://support.novell.com)Website.
MakesureyouhavethelatestWindows2003or2008ServerServicePacksinstalled.Thelatest
updatedWindowsServicePackneedstobeinstalledaftertheinstallationoftheWindows SNMPservice.
IfyouareupgradingfromapreviousversionofeDirectory,itmustbeeDirectory8.7.3orlater. (Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,ensurethatyouhavethefollowingrights: Supervisorrightstothecontainertheserverisbeinginstalledinto. Supervisorrightstothepartitionwhereyouwanttoaddtheserver.
72
NOTE:Thisisrequiredforaddingthereplicawhenthereplicacountislessthan3. AllAttributesrights:read,compare,andwriterightsovertheW0.KAP.Securityobject. Entryrights:browserightsoverSecuritycontainerobject. AllAttributesrights:readandcomparerightsoverSecuritycontainerobject.
WhileconfiguringeDirectory,youmustenableSLPservicesandanNCPport(thedefaultis524)
inthefirewalltoallowthesecondaryserveraddition.TheNCPportmustbeconfiguredtoallow bothinboundandoutboundtraffic. Additionally,youcanenablethefollowingserviceports,basedonyourrequirements: LDAPcleartext389 LDAPsecured636 HTTPcleartext8028 HTTPsecured8030 Ifyouhaveenableduserdefinedports,youmustspecifytheseportswhileconfiguring eDirectory.
IfyouareinstallingeDirectoryonavirtualmachinehavingaDHCPaddressoronaphysicalor
virtualmachineinwhichSLPisnotbroadcast,ensurethattheDirectoryAgentisconfiguredin yournetwork.

4.3
HardwarerequirementsdependonthespecificimplementationofeDirectory. Forexample,abaseinstallationofeDirectorywiththestandardschemarequiresabout74MBofdisk spaceforevery50,000users.However,ifyouaddanewsetofattributesorcompletelyfillinevery existingattribute,theobjectsizegrows.Theseadditionsaffectthediskspace,processor,andmemory needed. Twofactorsincreaseperformance:morecachememoryandfasterprocessors. Forbestresults,cacheasmuchoftheDIBSetasthehardwareallows. eDirectoryscaleswellonasingleprocessor.However,NovelleDirectory8.8takesadvantageof multipleprocessors.Addingprocessorsimprovesperformanceinsomeareasforexample,logins andhavingmultiplethreadsactiveonmultipleprocessors.eDirectoryitselfisnotprocessor intensive,butitisI/Ointensive. ThefollowingtableillustratestypicalsystemrequirementsforNovelleDirectoryforWindows:
73
Objects 10,000 1 million 10 million
Memory 384 MB 2 GB 2+ GB
Hard Disk 144 MB 1.5 GB 15 GB
Requirementsforprocessorsdependonadditionalservicesavailableonthecomputeraswellasthe numberofauthentications,reads,andwritesthatthecomputerishandling.Processessuchas encryptionandindexingcanbeprocessorintensive.
4.4

BecausetheinternaleDirectoryidentifierschangewhenupgradingtoeDirectory,thebacklink processmustupdatebacklinkedobjectsforthemtobeconsistent. Backlinkskeeptrackofexternalreferencestoobjectsonotherservers.Foreachexternalreferenceon aserver,thebacklinkprocessensuresthattherealobjectexistsinthecorrectlocationandverifiesall backlinkattributesonthemasterofthereplica.Thebacklinkprocessoccurstwohoursafterthe databaseisopenandthenevery780minutes(13hours).Theintervalisconfigurablefrom2minutes to10,080minutes(7days). AftermigratingtoeDirectory,werecommendthatyouforcethebacklinktorunbycompletingthe followingprocedure.Runningthebacklinkprocessisespeciallyimportantonserversthatdonot containareplica.
1 ClickStart>Settings>ControlPanel>NovelleDirectoryServices 2 IntheServicestab,selectds.dlm. 3 ClickConfigure. 4 IntheTriggertab,clickBacklinker.
Formoreinformationaboutthebacklinkprocess,seeUnderstandingWANTrafficManagerinthe NovelleDirectory8.8SP7AdministrationGuide.
4.5
Disk Space Check on Upgrading to eDirectory SP7 or later

WheneDirectoryserverisupgradedfrom8.7.xand8.8toeDirectory8.8SP7orlater,thediskspace checkfortheDIBupgradewouldbeperformed.Thefreediskspacenecessaryinthefilesystem, wheretheDIBresideswouldbeequaltothatoftheDIBsize.Themessagesofthediskspacecheck wouldbeupdatedintheni.logand<Install Path>/novell/nds/ndscheck.log. NOTE:ThediskspacecheckisrequiredonlyduringtheDIBupgradeprocess.Formoreinformation, refertoChapter 6,UpgradeRequirementsofeDirectory8.8,onpage 95.
74
4.6
Installing Novell eDirectory on Windows

Thissectioncontainsthefollowinginformation: Section 4.6.1,InstallingorUpdatingNovelleDirectory8.8onaWindowsServer,onpage 75 Section 4.6.2,ServerHealthChecks,onpage 77 Section 4.6.3,CommunicatingwitheDirectorythroughLDAP,onpage 77 Section 4.6.4,InstallingNMASServerSoftware,onpage 80 Section 4.6.5,InstallingNMASClientSoftware,onpage 80 Section 4.6.6,InstallingintoaTreewithDottedNameContainers,onpage 80 Section 4.6.7,UnattendedInstallandConfiguretoeDirectory8.8SP7onWindows,onpage 82
4.6.1
Installing or Updating Novell eDirectory 8.8 on a Windows Server

YoucaninstalleDirectory8.8forWindowswithouttheNovellClient.IfyouinstalleDirectory8.8on amachinealreadycontainingtheNovellClient,eDirectorywillusetheexistingClient,orupdateitif itisnotthelatestversion.
1 AttheWindowsserver,loginasAdministratororasauserwithadministrativeprivileges. 2 Toresolvetreenames,makesurethatSLPiscorrectlyconfiguredonyournetworkandthatSLP
DAsarestable. Formoreinformation,seeoneofthefollowing: Appendix C,ConfiguringOpenSLPforeDirectory,onpage 157. DHCPOptionsforServiceLocationProtocol(http://www.openslp.org/doc/rfc/rfc2610.txt) OpenSLPDocumentation(http://www.openslp.org/documentation.html)

3 IfyouhaveAutorunturnedoff,runsetup.exefromthentfolder(32biteDirectory)and windowsfolder(64biteDirectory)intheNovelleDirectory8.8SP7CDorfromthedownloaded
file.
4 ClickInstall.
TheinstallationprogramchecksforthefollowingcomponentsbeforeitinstallseDirectory.Ifa componentismissingorisanincorrectversion,theinstallationprogramautomaticallylaunches aninstallationforthatcomponent. NICI2.7 FormoreinformationontheNovellInternationalCryptographicInfrastructure(NICI),see theNovellInternationalCryptographicInfrastructure2.7AdministrationGuide(http:// www.novell.com/documentation/nici27x/index.html). YoumighthavetoreboottheserveraftertheNICIinstallation.Iftheinstallerdisplaysa messagesayingthatyouneedtorebootyourserverbeforecontinuing,clickOKtoreboot. TheeDirectoryinstallationwillcontinueafterthereboot. NovellClientforWindows IMPORTANT:TheNovellClientisupdatedautomaticallyifyouhaveanolderversionof theClientalreadyinstalledonthemachine.FormoreinformationontheClient,seethe NovellClientforWindows(http://www.novell.com/documentation/lg/noclienu/ index.html)onlinedocumentation.
5 ClickNext. 6 Viewthelicenseagreement,thenclickIAccept.
75
7 Selectalanguagefortheinstallation,thenclickNext. 8 Specifyorconfirmtheinstallationpath,thenclickNext. 9 Iftheinstallationfolderdoesnotalreadyexist,andyouwanttheinstallertocreatethefolderfor
you,clickYes.
10 SpecifyorconfirmtheDIBpath,thenclickNext. 11 IftheDIBfolderdoesnotalreadyexist,andyouwanttheinstallertocreatethefolderforyou,
clickYes.
12 (Newinstallationsonly)SelectaneDirectoryinstallationtype,thenclickNext.
InstalleDirectoryintoanExistingTreeincorporatesthisserverintoyoureDirectory network.Theservercanbeinstalledintoanylevelofyourtree. CreateaNeweDirectoryTreecreatesanewtree.Usethisoptionifthisisthefirstserverto gointothetreeorifthisserverrequiresaseparatetree.Theresourcesavailableonthenew treewillnotbeavailabletousersloggedintoadifferenttree.

13 ProvideinformationintheeDirectoryInstallationscreen,thenclickNext.
IfyouareinstallinganeweDirectoryserver,specifyaTreename,Serverobjectcontext,and Adminnameandpasswordforthenewtree. Ifyouareinstallingintoanexistingtree,specifytheTreename,Serverobjectcontext,and Adminnameandpasswordoftheexistingtree. IfyouareupgradinganeDirectoryserver,specifytheAdminpassword. NOTE:IneDirectory8.8andlater,youcanhavecasesensitivepasswordsforallthe utilities.RefertotheNovelleDirectory8.8.SP7WhatsNewGuide(http://www.novell.com/ documentation/edir88/edir88new/data/front.html)formoreinformation. Forinformationonusingdotsincontainernames,seeInstallingintoaTreewithDottedName Containersonpage 80.
14 (Newinstallationsonly)IntheHTTPServerPortConfigurationpage,specifytheportstousefor
theeDirectoryadministrativeHTTPserver,thenclickNext. IMPORTANT:MakesurethattheHTTPstackportsyousetduringtheeDirectoryinstallation aredifferentthantheHTTPstackportsyouhaveusedorwilluseforNovelliManager.Formore information,seetheNovelliManager2.7AdministrationGuide(http://www.novell.com/ documentation/imanager27/imanager_admin_275/data/hk42s9ot.html).

15 (Newinstallationsonly)IntheLDAPConfigurationpage,specifywhichLDAPportstouse,
thenclickNext. Formoreinformation,seeCommunicatingwitheDirectorythroughLDAPonpage 77.

16 SpecifywhethertoconfiguretheSecretStoremodule.Bydefault,theConfigureSecretStoreoption
isselected.
17 SelecttheNMASloginmethodsyouwanttoinstall.
SeeInstallingNMASServerSoftwareonpage 80andInstallingNMASClientSoftwareon page 80formoreinformation.

18 ClickNext. 19 ClickFinishtocompletetheeDirectoryinstallation. 20 Whentheinstallercompletestheinstallation,clickDone.
NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory.
76
FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
4.6.2

WitheDirectory8.8,whenyouupgradeeDirectory,aserverhealthcheckisconductedbydefaultto ensurethattheserverissafefortheupgrade. Section B.3.2,PartitionsandReplicaHealth,onpage 153 Basedontheresultsobtainedfromthehealthchecks,theupgradewilleithercontinueorexitas follows: Ifallthehealthchecksaresuccessful,theupgradewillcontinue. Ifthereareminorerrors,theupgradewillpromptyoutocontinueorexit. Iftherearecriticalerrors,theupgradewillexit. SeeAppendix B,eDirectoryHealthChecks,onpage 151foralistofminorandcriticalerror conditions.

Toskipserverhealthchecks,disableserverhealthcheckswhenpromptedintheinstallationwizard Formoreinformation,seeAppendix B,eDirectoryHealthChecks,onpage 151.
4.6.3
Communicating with eDirectory through LDAP

WhenyouinstalleDirectory,youmustselectaportthattheLDAPservermonitorssothatitcan serviceLDAPrequests.Thefollowingtablelistsoptionsforvariousinstallations:
Installation eDirectory 8.8 eDirectory 8.8 eDirectory 8.8 Option Clear text (port 389) Encrypted (port 636) Require TLS for simple bind Result Selects port 389. Selects port 636. Keeps (on the LDAP Group object) a parameter asked about during installation.
Port 389, the Industry-Standard LDAP Clear-Text Port

Theconnectionthroughport389isnotencrypted.Alldatasentonaconnectionmadetothisportis clear.Therefore,asecurityriskexists.Forexample,LDAPpasswordscanbeviewedonasimplebind request. AnLDAPSimpleBindrequiresonlyaDNandapassword.Thepasswordisincleartext.Ifyouuse port389,theentirepacketisincleartext.Bydefault,thisoptionisdisabledduringtheeDirectory installation. Becauseport389allowscleartext,theLDAPserverservicesReadandWriterequeststotheDirectory throughthisport.Thisopennessisadequateforenvironmentsoftrust,wherespoofingdoesntoccur andnooneinappropriatelycapturespackets.
77
Todisallowclearpasswordsandotherdata,selecttheRequireTLSforSimpleBindwithPassword optionduringinstallation. Asthefollowingfigureillustrates,thepagegivesdefaultsof389,636,andRequireTLSforSimpleBind withPassword.

Figure 4-1 DefaultsfortheLDAPConfigurationScreen
Scenario:RequireTLSforSimpleBindwithPasswordIsEnabled:Olgaisusingaclientthatasks forapassword.AfterOlgaentersapassword,theclientconnectstotheserver.However,theLDAP serverdoesnotallowtheconnectiontobindtotheserveroverthecleartextport.Everyoneisableto viewOlgaspassword,butOlgaisunabletogetaboundconnection. TheRequireTLSforSimpleBindwithPassworddiscouragesusersfromsendingobservablepasswords. Ifthissettingisdisabled(thatis,notchecked),usersareunawarethatotherscanobservetheir passwords.Thisoption,whichdoesnotallowtheconnection,onlyappliestothecleartextport. Ifyoumakeasecureconnectiontoport636andhaveasimplebind,theconnectionisalready encrypted.Noonecanviewpasswords,datapackets,orbindrequests.
Port 636, the Industry-Standard Secure Port

Theconnectionthroughport636isencrypted.TLS(formerlySSL)managestheencryption.By default,theeDirectoryinstallationselectsthisport. Thefollowingfigureillustratestheselectedport.
78
Figure 4-2 LDAPServerConnectionsPageiniManager
Aconnectiontoport636automaticallyinstantiatesahandshake.Ifthehandshakefails,the connectionisdenied. IMPORTANT:ThisdefaultselectionmightcauseaproblemforyourLDAPserver.Ifaservice alreadyloadedonthehostserver(beforeeDirectorywasinstalled)usesport636,youmustspecify anotherport. InstallationsearlierthaneDirectory8.7treatedthisconflictasafatalerrorandunloadednldap.nlm. TheeDirectory8.7.3onwardsinstallationloadsnldap.nlm,placesanerrormessageinthe dstrace.logfile,andrunswithoutthesecureport. Scenario:Port636IsAlreadyUsed:YourserverisrunningActiveDirectory*.ActiveDirectoryis runninganLDAPprogram,whichusesport636.YouinstalleDirectory.Theinstallationprogram detectsthatport636isalreadyusedanddoesntassignaportnumberfortheNovellLDAPserver. TheLDAPserverloadsandappearstorun.However,becausetheLDAPserverdoesnotduplicateor useaportthatisalreadyopen,theLDAPserverdoesnotservicerequestsonanyduplicatedport. Ifyouarenotcertainthatport389or636isassignedtotheNovellLDAPserver,runtheICEutility.If theVendorVersionfielddoesnotspecifyNovell,youmustreconfigureLDAPServerforeDirectory andselectadifferentport.Formoreinformation,seeVerifyingThattheLDAPServerIsRunningin theNovelleDirectory8.8SP7AdministrationGuide. Scenario:ActiveDirectoryIsRunning:ActiveDirectoryisrunning.Cleartextport389isopen.You runtheICEcommandtoport389andaskforthevendorversion.ThereportdisplaysMicrosoft*. YouthenreconfiguretheNovellLDAPserverbyselectinganotherport,sothattheeDirectoryLDAP servercanserviceLDAPrequests. NovelliMonitorcanalsoreportthatport389or636isalreadyopen.IftheLDAPserverisntworking, useNovelliMonitortoidentifydetails.Formoreinformation,seeVerifyingThattheLDAPServerIs RunningintheNovelleDirectory8.8SP7AdministrationGuide.
79
4.6.4
Installing NMAS Server Software

NovellModularAuthenticationService(NMAS)servercomponentsareinstalledautomatically whenyouruntheeDirectoryinstallationprogram.Youwillneedtoselecttheloginmethodsyou wanttoinstall. SelecttheloginmethodsthatyouwanttoinstallintoeDirectorybycheckingtheappropriatecheck boxes.Whenyouselectaloginmethod,adescriptionofthecomponentappearsintheDescription box.Formoreinformationonloginmethods,seeManagingLoginandPostLoginMethodsand Sequences(http://www.novell.com/documentation/nmas33/admin/data/a53vj9a.html)intheNovell ModularAuthenticationServices3.3AdministrationGuide. ClickSelectAllifyouwanttoinstallalltheloginmethodsintoeDirectory.ClickClearAllifyouwant toclearallselections. TheNDSloginmethodisinstalledbydefault.
4.6.5
Installing NMAS Client Software

TheNMASclientsoftwaremustbeinstalledoneachclientworkstationwhereyouwanttousethe NMASloginmethods.
1 AtaWindowsclientworkstation,inserttheNovelleDirectory8.8CD. 2 FromtheNMASdirectory,runnmasinstall.exe. 3 SelecttheNMASClientComponentscheckbox.
Optionally,youcanselecttheNICIcheckboxifyouwanttoinstallthiscomponent.
4 ClickOK,thenfollowtheonscreeninstructions. 5 Reboottheclientworkstationaftertheinstallationcompletes.
4.6.6
Installing into a Tree with Dotted Name Containers

YoucaninstallaWindowsserverintoaneDirectorytreethathascontainerswithdotsinthenames (forexample,O=novell.comorC=u.s.a).Usingcontainerswithdottednamesrequiresthatthosedots beescapedwiththebackslashcharacter.Toescapeadot,simplyputabackslashinfrontofanydotin acontainername.SeeFigure43foranexample. Youcannotstartanamewithadot.Forexample,youcannotcreateacontainernamed.novell becauseitstartswithadot(.).
80
Figure 4-3 eDirectoryInstallationInformationScreen
IMPORTANT:Ifyourtreehascontainerswithdottednames,youmustescapethosenameswhen loggingintoutilitiessuchasiMonitor,iManager,andDHostiConsole.Forexample,ifyourtreehas novell.comasthenameoftheO,enterusername.novell\.comintheUsernamefieldwhenlogging intoiMonitor(seeFigure44).

Figure 4-4 iMonitorLoginScreen
81
4.6.7
Unattended Install and Configure to eDirectory 8.8 SP7 on Windows

eDirectory8.8SP7automatestheeDirectoryinstallationandupgradesothateDirectoryisinstalled orupgradedsilentlyonWindowsserverswithouthumanintervention. OnWindows,theunattendedinstallationofeDirectoryusespredefinedtextfilesthatfacilitatethe unattendedinstallationorupgrade.Youcanperformeitherofthefollowingsetupusingthe unattendedinstallationofeDirectory: StandaloneinstallationorupgradeofeDirectorydependingonwhetheritisacomplete installationofeDirectoryornot.Thestandaloneupgradeprocessupgradesonlytheinstalled files. ConfigurationofinstalledeDirectory.IfyouinstalleDirectory,acompleteconfigurationof eDirectoryisperformed.Otherwise,whenyouupgradeeDirectory,theinstalleronlyconfigures theupgradedfiles. AcombinationofbothinstallationorupgradeandconfigurationofeDirectory.Itcaneitherbe installationandconfigurationofeDirectoryoranupgradeandconfigurationofonlythe requiredfiles. Formoreinformationonhowtomentionthesetupforunattendedinstallation,refertothesection AddingFeaturestotheAutomatedInstallationonpage 83.
Prerequisites
EnsureMicrosoftVisualC++2005RuntimeLibrariesareinstalled.Installthemmanuallyfrom: 32bit:vcredist_x86.exe,locatedateDirectory\nt\i386\redist_pkg 64bit:vcredist_x86.exeandvcredist_x64.exelocatedateDirectory\nt\x64\redist_pkg EnsureNICIisinstalled: 32bit:eDirectory/Windows/x64/nici/wcniciu0.exe 64bit:eDirectory/Windows/x64/nici/wcniciu0.exe Settoprogrammode: RunWindows/SysWOW64/novell/nici/set_server_mode.bat Thefollowingsectionsdiscussvariousfeaturesthatcanbeusedtoconfiguretheunattended installation,includingtheinstalllocation,nodisplayofsplashscreens,portconfigurations, additionalNMASmethods,stoppingandstartingSNMPservices,etc. ResponseFilesonpage 82 AddingFeaturestotheAutomatedInstallationonpage 83 ControllingAutomatedInstallationonpage 88 UnattendedInstallationofeDirectoryusingResponseFileonpage 91
Response Files
InstallingorupgradingtoeDirectory8.8SP7onWindowsoperatingsystemcanbemadesilentand moreflexiblebyusingaresponsefileforthefollowing: Completeunattendedinstallationwithallrequireduserinputs Defaultconfigurationofcomponents Bypassingallpromptsduringtheinstallation
82
Aresponsefileisatextfilecontainingsectionsandkeys,similartoaWindows.inifile.Youcancreate andeditaresponsefileusinganyASCIItexteditor.TheeDirectoryupgradereadstheinstallation parametersdirectlyfromtheresponsefileandreplacesthedefaultinstallationvalueswithresponse filevalues.Theinstallationprogramacceptsthevaluesfromtheresponsefileandcontinuestoinstall withoutprompts.
Response.ni File Sections and Keys

TheeDirectory8.8SP7installationrequireschangestothesectionsintheresponsefiletoadd informationabouttheeDirectoryinstancetobeinstalled,includingthetreename,administrator context,administratorcredentials(includingusernameandpasswords),installationlocations,etc.A fulllistofthekeysandtheirdefaultvaluesisavailableinthesampleresponse.nifilethatis deliveredwiththeeDirectoryinstallation. NOTE:Youshouldusetheprovidedresponse.ni fileavailableat eDirectory\nt\i386\NDSonNT\response.ni(for32bit)and eDirectory\windows\x64\NDSonNT\response.ni(for64bit)intheeDirectoryinstallation.There areessentialparametersandsetbydefaultinthisfile.Wheneditingthe response.nifile,ensure therearenoblankspacesbetweenthekeyandthevaluesalongwiththeequalssign(=)ineachkey valuepair.
Installation Syntax
Youcanalsousearesponsefilefortwoscenariosinanupgrade: Toprovidethevaluesofthetreeparametersandtoconfigureanunattendedinstallation. Toinputvaluesduringanupgrade. IMPORTANT:Youprovidetheadministratorusercredentialsintheresponse.nifileforan unattendedinstallation.Therefore,youshouldpermanentlydeletethefileaftertheinstallationto preventtheadministratorcredentialsfrombeingcompromised.
Adding Features to the Automated Installation

MostdetailsforconfiguringtheeDirectoryInstallerhavedefaultsettingforthemanualinstallation. However,duringunattendedinstallation,eachconfigurationparametermustbeexplicitly configured.Thissectiondiscussesthebasicsettingstobeconfigured,irrespectiveofanysequenceof installationoradditionalfeatures.
eDirectory Server Details

Regardlessofwhetheritisanupgradeoraprimary/secondaryserverinstallation,thedetailsofthe serverbeinginstalledorupgradedmustbeprovidedtotheInstaller.Mostofthisinformationis configuredintwotags,[NWI:NDS] and [Initialization].
[NWI:NDS]
UpgradeMode:Thiskeyappliesonlytoaserverupgrade.Thoughnotessential,setthis parametertoFalseforfreshinstallations.Foranupgrade,youcaneithersetittoTrueorto Copy. ServerContext:ThisisthecompleteDNoftheserverobject(servername),alongwiththe containerobject.Forexample,iftheserverbeinginstalledisEDIR-TEST-SERVER,thevaluefor thisparameterwillbeEDIR-TEST-SERVER.NovelliftheServercontainerisNovell.
83
mode:ThetypeofsetuponeDirectory.Thethreetypesofsetupare: install:PerformsinstallationofeDirectoryoranupgradeoftherequiredfiles. configure:ConfigureseDirectory.Ifyouonlyperformanupgradeoftherequiredfiles,then theinstalleronlyconfigurestheupgradedfiles. full:PerformsbothinstallationandconfigurationofeDirectory.Thistypeofinstallationcan eitherbeinstallationandconfigurationofeDirectoryoranupgradeandconfigurationof onlytherequiredfiles. Bydefault,themodekeyissettofull. NOTE:Ifyouoptforthefullsetupmode,thenwhileuninstallingeDirectoryyoucannotoptfor individualdeconfigurationanduninstallationoption. TreeName:Foraprimaryserverinstallation,thisisthenameofthetreethatneedstoinstalled. Forasecondaryserverinstallation,thisisthetreetowhichthisservermustbeadded. ServerName:Thenameoftheserverthatisbeinginstalled. ServerContainer:Anyserveraddedtoatreehasaserverobjectcontainingalltheconfiguration detailsspecifictotheserver.Thisparameteristhecontainerobjectinthetreetowhichtheserver objectwillbeadded.Forprimaryserverinstallations,thiscontainerwillbecreatedwiththe serverobject. AdminLoginName:Thename(RDN)oftheAdministratorobjectinthetreethathasfullrights, atleasttothecontexttowhichthisserverisadded.Alloperationsinthetreewillbeperformed asthisuser. AdminContext:Anyuseraddedtoatreehasauserobjectthatcontainsalltheuserspecific details.ThisparameteristhecontainerobjectinthetreetowhichtheAdministratorobjectwill beadded.Forprimaryserverinstallations,thiscontainerwillbecreatedwiththeserverobject. Adminpassword:ThepasswordfortheAdministratorobjectcreatedintheprevious parameters.ThispasswordwillbeconfiguredtotheAdministratorobjectduringprimaryserver installations.Forsecondaryserverinstallations,thisneedstobethepasswordofthe Administratorobjectintheprimaryserverthathasrightstothecontexttowhichthenewserver isadded. NDSLocation:TheeDirectoryinstalllocationinthelocalsystemwherethelibrariesand binariesarecopied.Bydefault,eDirectoryisinstalledintoC:\Novell\NDSunlessitischanged intheresponsefile. DataDir:UntileDirectoryversion8.8,theDIBwasinstalledinsidetheNDSlocationasa subfolder.Later,administratorsweregiventheoptiontoprovideadifferentDIBlocation, becausetheremightbetoomuchdatastoredintheDIBtofitintotheNDSlocation.Currently, bydefaulttheDIBisinstalledintheFilessubfolderinsidetheNDSlocation,butadministrators canchangethisparameterandprovideadifferentlocation. Thefollowingisasampleoftextintheresponsefileforallthebasicparametersdescribedabove:
[NWI:NDS] Upgrade Mode=copy Tree Name=SLP-TEST Server Name=NDS-LDAP-P2-NDS Server Container=Novell Server Context=NDS-LDAP-P2-NDS.Novell Admin Context=Novell Admin Login Name=Admin
84
Admin Password=novell NDS Location=E:\Novell\NDS DataDir=E:\Novell\NDS\Files
Youcanalsoconfiguretwoadditionalparameters: InstallationLocation:ThisisthesameastheNDSLocationconfiguredintheprevioussection. ThislocationisusedbytheInstallerwhilecopyingfilestotheinstalllocation,andtheother locationisusedbythecomponentstorefertothebaseeDirectoryinstallationwhiletheyare configured.ThedefaultvalueisC:\Novell\NDS,ifnotspecifiedintheresponsefile. Forexample:

[Novell:DST:1.0.0_Location] Path=file:/C:\Novell\NDS
SystemLocation:TheeDirectoryInstallerrequiresaccesstothesystemfoldertocopyDLLsand toaccesssystemspecificfilesduringinstallation.Thisparametermustbeconfiguredwiththe pathtothesystemfolderofthemachinewheretheserverisinstalled. Forexample:

[Novell:SYS32_DST:1.0.0_Location] Path=file:/C:\WINNT\system32
Thefollowingscreenappearswhentheservercollectstheaboveparametersfromtheresponsefile.
Figure 4-5 InstallingeDirectory
Adding NMAS Methods

eDirectorysupportsinstallationofmultipleNMASmethods,bothduringinstallandupgrade. Duringmanualinstallations,youcanselecttheNMASmethodstoinstallandconfigure.Thiscanalso beachievedinautomatedinstallations. TheNMASrelatedconfigurationsettingsareprovidedinsidethe[NWI:NMAS]tag.Thetaghastwo keystobeconfigured,andbotharemandatory: Choices:ThiskeyinformstheeDirectoryinstallationcomponentonthenumberofNMAS methodsthatneedtobeinstalled. Methods:ThiskeyliststheNMASmethodoptionsthatneedtobeinstalled.Currently,thereare 12supportedNMASmethods.Themethodnamesandtheirtypesareasfollows:
85
Table 4-1 NMASMethods
Method Name CertMutual Challenge Response DIGEST-MD5 GSSAPI NDS Simple Password
Method Type Certificate mutual login method The Novell challenge response NMAS method Digest MD5 login method SASL GSSAPI mechanism for eDirectory. Authentication to eDirectory through LDAP using a Kerberos ticker NDS login method (default) Simple password NMAS login method
NOTE:Themethodnamesshouldexactlymatchthoselistedintheabovetable,asoptionstothe Methodskey.TheInstallermatchestheexactstring(withcase)forchoosingtheNMASmethodsto install. TheNDSNMASmethodismandatoryandwillbeinstalledautomaticallyifnoNMASmethodslist isprovided.However,ifyouarecreatinganexplicitlist,donotremovethismethodfromthelist. IftheNMASmethodsareconfiguredusingthismethodologyintheresponsefile,eDirectoryshows thefollowingstatuswhileinstalling,withoutpromptingforuserinput.

Figure 4-6 NMASLoginMethodCreation
ThefollowingissampletextintheresponsefileforchoosingtheNMASmethods:
[NWI:NMAS] Choices=12 Methods=X509 Advanced Certificate,CertMutual,Challenge Response,DIGESTMD5,Enhanced Password,Entrust,GSSAPI,NDS,NDS Change Password,Simple Password,Universal Smart Card,X509 Certificate
HTTP Ports
eDirectorylistensonpreconfiguredHTTPportsforaccessthroughtheWeb.Forexample,iMonitor accesseseDirectorythroughWebinterfaces.Theyneedtospecifycertaininordertoaccessthe appropriateapplications.Therearetwokeysthatcanbesetpriortoinstallationtoconfigure eDirectoryonspecificports: ClearTextHTTPPort:TheportnumberfortheHTTPoperationsincleartext. SSLHTTPPort:HTTPportnumberforoperationsonthesecuresocketlayer. ThefollowingissampletextintheresponsefileforconfiguringHTTPportnumbers:
[eDir:HTTP] Clear Text HTTP Port=8028
86
SSL HTTP Port=8030
LDAP Configuration
eDirectorysupportsLDAPoperations.ItlistensforLDAPrequestsincleartextandSSL,ontwo differentports.Theseportscanbeconfiguredintheresponsefilepriortoinstallationsothatwhen eDirectoryisstarted,itlistensontheseconfiguredports. Therearethreekeysinthe[NWI:NDS]tagthatconfiguretheLDAPports: LDAPTLSPort:TheportonwhicheDirectoryshouldlistenforLDAPrequestsincleartext. LDAPSSLPort:TheportonwhicheDirectoryshouldlistenforLDAPrequestsinSSL.Youcan alsouseakeytoconfigurewhethereDirectoryshouldmandatesecureconnectionswhenbind requestssendthepasswordincleartext. RequireTLS:WhethereDirectoryshouldmandateTLSwhenreceivingLDAPrequestsinclear text.
Figure 4-7 LDAPConfiguration
ThefollowingissampletextintheresponsefileforLDAPconfiguration:
[NWI:NDS] Require TLS=No LDAP TLS Port=389 LDAP SSL Port=636
Language Settings
TheeDirectoryInstallerlanguagesettingsconfigurethelocaleandsetthedisplaylanguage. Therearecurrentlythreelocaleoptionsthatcanbesetduringinstallation:English,Frenchand Japanese.Eachhasaspecifickeyinthe[Novell:Languages:1.0.0]tagthatcanbesettoTrue/False priortothestartofinstallation. LangID4:English.SettingthistoTrueconfigurestheEnglishlocaleduringinstallation. LangID6:French.SettingthistoTrueconfigurestheFrenchlocaleduringinstallation. LangID9:Japanese.SettingthistoTrueconfigurestheJapaneselocaleduringinstallation. Theseoptionsaremutuallyexclusive,whichiseasilyenforcedinmanualinstallationviaradio buttons.Inunattendedinstallations,youneedtoensureonlyoneofthemissettoTrue. ThefollowingissampletextintheresponsefileforconfiguringanEnglishlocale:
[Novell:Languages:1.0.0] LangID4=true LangID6=false LangID9=false
87
Statusmessagesabouttheconfigurationofeachcomponentaredisplayedinmessageboxes throughouttheinstallation.Bydefault,thesemessagesareinEnglish.Youcanalsochangethe displaylanguageduringinstallationbyusingtheDisplayLanguagekeyinthe[Initialization] tag. DisplayLanguage:Thiskeyisinthe[Initialization] section.Itsparametersconfigure languages.ThefollowingissampletextintheresponsefileforconfiguringEnglishasthedisplay language:

[Initialization] DisplayLanguage=en_US
Configuration Mode Settings

Ifthesetupmentionedinthemodekeyisconfigure,thenensurethatyoudonotchangethe RestrictNodeRemovevalueoftheConfigurationModekeyinthe[Initialization]section.
Controlling Automated Installation

Theresponsefilecanalsobeeditedtocontroltheflowofautomatedinstallation.
Stopping SNMP services

ThisfeatureisspecifictoaneDirectoryinstallationonWindows.MostWindowsservershaveSNMP configuredandrunning.WheneDirectoryinstalls,theSNMPservicesneedtobebroughtdownand restartedaftertheinstallation.Withmanualinstallations,theInstallerpromptstheuseronscreento stoptheSNMPservicesbeforecontinuingtheinstallation.Thispromptcanbeavoidedduring automationbysettingthekeyinthe[NWI:SNMP]tag: Stopservice:SetthevaluetoYestostoptheSNMPserviceswithoutprompting.Thestatusofis displayedonscreenasshownbelow:
Figure 4-8 SNMPServiceShutdown
ThefollowingissampletextintheresponsefileforstoppingSNMPservices:
[NWI:SNMP] Stop service=yes
SLP Services
eDirectoryusesSLPservicestoidentifyotherserversortreesinthesubnetduringinstallationor upgrade.IfSLPservicesarealreadyinstalledonyourserver,andyouwanttoreplacethemwiththe versionthatshipswiththecurrentversionoftheeDirectory(oruseyourownSLPservices),youcan setappropriatekeysinthe[NWI:SLP]tagtouninstallandremovetheexistingSLPservices. ThefollowingissampletextintheresponsefileforuninstallingandremovingSLPservices:
[EDIR:SLP] Need to uninstall service=true
88
Need to remove files=true
Primary/Secondary Server Installation

eDirectoryInstallerprovidesoptionsfortheunattendedinstallofaprimaryorasecondaryserver, intoanetwork.TherearethreekeysthathelptheInstallerdecidewhetheritisaprimaryora secondaryserverinstallation. NewTree:Usethiskeyinthe [NWI:NDS]tagandsetittoYesforanewtreeinstallation,orNo forasecondaryserverinstallation. ExistingTreeYes:Thiskeyisinthe[Novell:ExistingTree:1.0.0]tag.SetittoTrue/false.Set thistoFalseforanewtreeorprimaryserverinstallationandsetittoTrueforasecondaryserver inanexistingtree. ExistingTreeNo:Thiskeyalsoisinthe[Novell:ExistingTree:1.0.0]tag.Althoughitseems toberedundanttothepreviouskey,theInstallerreferstobothkeys,sobothofthemmustbe configuredproperly.SetthisonetoTrueforanewtreeorprimaryserverinstallationandsetitto Falseforaddingasecondaryserverinanexistingtree. Forexample,thekeysforinstallingaprimaryserverinanewtreewouldbeasfollows:
[NWI:NDS] New Tree=Yes
[Novell:ExistingTree:1.0.0] ExistingTreeYes=false ExistingTreeNo=true
andforasecondaryserverinstallationintoanexistingtree:
[NWI:NDS] New Tree=No [Novell:ExistingTree:1.0.0] ExistingTreeYes=true ExistingTreeNo=false
Preconfigured Unattended Installation

Alluserspecificconfigurationdetailscanbeeditedintheresponsefile.However,therearecertain parametersthatshouldnotbechanged.Theseareforfilecopyandcomponentinformationspecific totheeDirectorycomponentstobeinstalled.Makesuretheseparametersintheresponsefilearenot modified.DonotchangethemfromthevaluesintheeDirectoryrelease. InstallasServiceTag:eDirectoryrunsasaserviceinWindows.Itismandatorythatthisparameteris alwayssettoYestomakesurethateDirectoryisinstalledasaservice.
[NWI:NDS] Install as Service=Yes
SelectedNodesTag:ThistagliststhecomponentsthatareinstalledineDirectory,alongwith informationintheprofiledatabasethatcontainsmoreinformationaboutthecomponent,including sourcelocation,destinationcopylocation,andcomponentversion.Thesedetailsintheprofile databasearecompiledintoa.dbfilethatisdeliveredintheeDirectoryrelease.

[Novell:NOVELL_ROOT:1.0.0]
FileCopyTag:Thistagcontainskeysfordisplaysettingsthatarehandledinthenextsection, includingthefilecopyprofileinformation:
89
overWriteNewerFile=false overWriteNewerFilePrompt=true copyToRemoteDestination=true
TheseoptionsspecifytheresponsefromtheeDirectoryInstallerinscenariossuchasfilewrite conflicts,filecopyingdecisions,etc.
Silent Installation Parameters

ThissectiondescribesparametersthatneedtobesetfortheInstallertorununattended.
[NWI:NDS] Prompt=false
The[NWI:NDS]sectiondescribeseDirectoryconfigurationdetailssuchastreenameandservername. IfyoudontwanttheInstallertopromptforvaluesfortheseparameters,setthisparametertoFalse.
[Selected Nodes] Prompt=false
IfyoudontwanttheInstallertopromptforthedestinationcopylocation,versiondetails,etc.forall componentsconfiguredwiththeeDirectory,setthisparametertoFalseinthe[Selected Nodes] tag.

[Novell:NOVELL_ROOT:1.0.0] Prompt=false
IfyoudontwanttheInstallertopromptforyes/noquestions,orforotherdecisionswithparameters inthissection,setthisparametertoFalseinthe[Selected Nodes]tag.

[Novell:ExistingTree:1.0.0] Prompt=false
IfyoudontwanttheInstallertopromptfordecidingwhetherisitanewtreeinstallation,orfor addingasecondaryservertoanexistingtree,setthisparameterFalseinthe[Selected Nodes]tag.

[Initialization] InstallationMode=silent SummaryPrompt=false prompt=false
TheInstallationModekeymustalwaysbeexplicitlysettoSilentforunattendedinstallations.
Status and Image Displays

Duringinstallation,therearevariousimagesandstatusinformationdisplayed.Mostimagescontain informationonwhatversionofeDirectoryisinstalled,whatcomponentsareinstalled,awelcome screen,licensefiles,customizationoptions,astatusmessageindicatingthecomponentcurrently beinginstalled,percentagecomplete,etc.SomeapplicationsthatintendtoembedeDirectorymight notwanteDirectorydisplayingtheseimages. Allimageandstatusdisplaydetailsareconfiguredinthe [Novell:NOVELL_ROOT:1.0.0]tag, includingconfigurationinformationforthewelcomepage,closepage,summarypage,license agreementpage,languagepage,customchoicespage,wizardpage,welcomepage.Thereare correspondingon/offparametersforeachoftheseconfigurations.
90
Forexample: ThewelcomeScreenparameteriscontrolledbyshowWelcomeScreen=true/false. ThesummaryScreenparameteriscontrolledbyallowSummary=true/false. ThelicenseAgreementScreenparameteriscontrolledbyallowLicenseAgreement=true. Iftheprogressbarshouldntbedisplayed,useallowStatusBar=false. Ifthefinalpagethatreportssuccessfulinstallationisnotrequired,set [eDirCloseScreen]Silent=true. MostofthedetailsarepreconfiguredintheresponsefilethatshipswitheDirectory.Ifyouneed modifications,changetheparametersinthistag.
Unattended Installation of eDirectory using Response File

LaunchingtheeDirectoryInstalleronWindowsiseasy.The install.exedeliveredinthe eDirectoryreleaseisinvokedinthecommandlinewithafewadditionalparameters. Dependingonthesetupmodeyouhavementioned,useeitherofthefollowingcommands: NOTE:Thenopleasewaitoptionusedinthecommandsensuresthatthestatuswindowfor installation,upgrade,orconfigurationisnotdisplayed.
Install
32bit:<Unzipped Location>\nt\I386\NDSonNT>install.exe /silent /nopleasewait / template=<Response file> Forexample,D:\builds\88SP7_i386\nt\I386\NDSonNT>install.exe /silent /nopleasewait /template=D:\builds\88SP7_i386\nt\I386\NDSonNT\response.ni 64bit:<Unzipped Location>\windows\x64\NDSonNT>install.exe /silent /nopleasewait / template=<Response file> Forexample,D:\builds\88SP7_i386\windows\x64\NDSonNT>install.exe /silent / nopleasewait /template=D:\builds\88SP7_i386\nt\I386\NDSonNT\response.ni
Configure
32bitand64bit:<Windows Drive>\Program Files\Common Files\novell>install.exe / silent /restrictnoderemove /nopleasewait /template=<Response file> Forexample,c:\Program Files\Common Files\novell>install.exe /silent / restrictnoderemove /nopleasewait / template=D:\builds\88SP7_i386\nt\I386\NDSonNT\response.ni
A combination of installation or upgrade and configuration of eDirectory

32bit:<Unzipped Location>\nt\I386\NDSonNT>install.exe /silent /nopleasewait / template=<Response file> Forexample,D:\builds\88SP7_i386\nt\I386\NDSonNT>install.exe /silent /nopleasewait /template=D:\builds\88SP7_i386\nt\I386\NDSonNT\response.ni
91
64bit:<Unzipped Location>\windows\x64\NDSonNT>install.exe /silent /nopleasewait / template=<Response file> Forexample,D:\builds\88SP7_i386\windows\x64\NDSonNT>install.exe /silent / nopleasewait /template=D:\builds\88SP7_i386\nt\I386\NDSonNT\response.ni
92
5
5.1
Relocating the DIB
AfterinstallingandconfiguringNovelleDirectory,ifthereisaneedtorelocatetheDIB,youcandoit. YoumightwanttorelocateyourDIBformultiplereasons,suchas,ifthenumberofobjectsinthetree isexpectedtogrowbutthecurrentfilesystemwheretheDIBexistsdoesnothavesufficientspace.
Linux and UNIX

CompletethefollowingproceduretorelocateyourDIB:
1 Checktheserverstatusbyenteringthefollowingcommandatthecommandline: ndscheck 2 StoptheeDirectoryserviceusingndsmanageasfollows: 2a Enterndsmanageatthecommandprompt. 2b Selecttheinstanceyouwanttostop.
2c Enterktostoptheinstance. 3 GetthecurrentDIBlocationusingthefollowingcommand: ndsconfig get n4u.nds.dir
NOTE:IneDirectory8.8,bydefaulttheDIBislocatedat/var/opt/novell/eDirectory/data/ andonpreeDirectory8.8servers,itislocatedat/var/nds/.
4 CopytheDIBtothenewlocationasfollows: cp -rp current__location new__location
Forexample,tocopytheDIBto/home/nds/,enterthefollowing:
cp -rp /var/opt/novell/eDirectory/data//* /home/nds// 5 Edittheinstancespecificnds.confconfigurationfileandchangetheparametervalueof n4u.nds.dirasfollows: n4u.nds.dir=new__location
Forexample,ifyouarechangingtheDIBfrom/var/nds/to/home/nds/,typethefollowing:
n4u.nds.dir=/home/nds/ 6 StarttheeDirectoryserviceasfollows 6a Enterndsmanageatthecommandprompt. 6b Selecttheinstanceyouwanttostart.
6c Enterstostarttheinstance.
Relocating the DIB
93
7 Checktheserverstatusasfollows: ndscheck
5.2
Windows
DIBrelocationiscurrentlynotsupported.However,youcanlocatetheDIBinacustomlocation duringtheeDirectoryinstallation.
94
Upgrade Requirements of eDirectory 8.8
OneoftheuniquefeaturesofeDirectoryisitsabilitytomaintainthetightreferentialintegrity.Any objectClassesderivedfromTopwillhaveareferenceattributeinitsclassdefinition.Thisisahidden attributeaddedtoallthereferencedobjectsthatareinternallymaintainedbyeDirectory.Background processeskeeprunningtocheckthelinksbetweenthereferencedobjectandthereferencingobjects. Ifthereferencedobjectisfromadifferentpartitionthantheoneheldlocallyintheserver,anexternal referencetothatobjectwillbecreatedlocallyintheexternalreferencepartition.Anexternalreference isarepresentationofanobjectexistingintheeDirectorytree.However,itisnotacopyoftheobject anditsassignedattributes. ThoughwecanremovetheReferenceattributefromeDirectory,currently,theclassdefinitionsare untouchedtomaintainthebackwardcompatibilityinthetree.
Figure 6-1 iMonitorOutputshowingReferencestoanObject
ThischapterexplainsthechangesandpossibleupgradescenariosineDirectory8.8. Section 6.1,ReferenceChangesin8.8SP1orlaterversions,onpage 96 Section 6.2,UpgradeProcessin8.8SP7,onpage 96 Section 6.3,PerformingaDryRunbeforeUpgradingeDirectory,onpage 98
95
6.1
Reference Changes in 8.8 SP1 or later versions

Thereferenceattributeisahiddenattributeandismaintainedoneachreferencedobject.Thisis createdandmaintainedbyDS.ThenewreferencingcodeinDSisbasedonaFlexibleAdaptable InformationManager(FLAIM)indexcalledLocalEntryIDIndexthatDScreates.ThoughFLAIM maintainstheindex,theusageisdeterminedbyDS.FLAIMautomaticallyupdatestheindexwhena DNvalueisaddedordeleted.Eachkeyintheindexisacompoundkey,i.e,DNoftheobjectbeing referenced+EntryIDofthereferencingobject.Forexample,ifthereisanobjectwithEntryID343, andithasamembervaluethatpointstoobject#899,FLAIMwillautomaticallygenerateakeyin theindexof899+343.DScannowdolookupsintheindextofindalltheobjectspointingtoobject #899.Object#899doesnothavetokeepareferenceattributeonitselftorememberalltheobjects referencingit.Actually,FLAIMmaintainstheindexwithoutknowinghowitisused,butDShasthe codethatknowshowtousetheindex. However,thenewwayofmaintainingreferencesrequiresadatabaseupgradewhentheexisting eDirectoryinstanceisupgradedto8.8SP1orlaterversions.Theupgraderequiresthecreationofa newindex,whichwillrequiretraversingeachentryinthedatabase.Italsorequirestheremovalofall ofthereferenceattributesfromeachentryinthedatabase.Inaddition,someinternaloctetstring attributesusedbyDSthathadembeddedDNswouldneedtogeneratesomenewDNvaluestostore alongsidetheoctetstringvalue.Allthiswouldbeatimeconsumingprocessonalargedatabase. SinceDSischangedtodoreferentialintegrityusingnewFLAIMfeature,andthatdependsonthe newindex,thereisnowayDScanreallyoperateuntiltheconversioniscomplete.Therefore,thefirst timeanexistingdatabaseisopened,allreferenceattributesneedtobechangedtoanewindex.It couldtakehoursbeforeitactuallyopensandisreadyforusebyapplicationsforalargedatabase.
6.2
Upgrade Process in 8.8 SP7

Thendsconfig upgradecommandisusedtoupgradethenecessaryconfigurationoftheindividual componentssuchasHTTP,LDAP,SNMP,SAS,andNMAS.eDirectorydatabaseisupgradedtoanew formatifeDirectoryversionspriortoeDirectory8.8SP1areupgradedtoeDirectory8.8SP7. TheappropriateupgradeutilityiscalledafterthepackagesareupgradedtoeDirectory8.8SP7. AnewofflinedatabaseupgradeutilityisavailablewitheDirectory8.8SP1onwards. NOTE:Incasetheadministratorwantstoruntheutilityandfindoutthestatusoftheupgrade,this databaseupgradetoolcanbeusedwithacopyofthedatabaseorwith-doption
UNIX/Linux
Windows
ndsupg
ndsupg.exe
96
Figure 6-2 ndsupgHelpScreen
Thefollowingtablediscussesthendsupgoptions.
Table 6-1 ndsupgOptions
Option
Description Quiet mode. There will not be any messages in quiet mode. Messages will be logged to log file (if provided) even in -q mode. It is recommended that you always provide a log file name for troubleshooting purpose. Dry run. Upgrade will be performed on a copy of the actual database. IMPORTANT: ds.nlm should be unloaded before loading dsup.nlm. This option can be used if the administrator wants to know if the upgrade is going to be successful and also to estimate the time required to upgrade the database. It is recommended to take a copy of the DIB. NOTE: eDirectory service should be unloaded or stopped before taking a copy of the database. ndsupg utility can be run on the copied database to estimate the downtime required for the actual upgrade. During this time, eDirectory service can be loaded or restarted.
-q
-d
-v
Verbosity of the messages. The default value is 3 where all messages are logged. It is recommended to always leave the verbosity level to its default value.
97
Option
Description Provide a log file name where messages are logged during upgrade. The log file will indicate the time the upgrade started and the end time. Given below is a snapshot of log file.
-l
6.3
Performing a Dry Run before Upgrading eDirectory

ndsupgcanbeusedtoperformadryrunbeforeupgradingthepackages.Thisutilityalonecanbe usedagainstacopieddatabaseonallthesupportedplatforms.TheadvantageisthateDirectory serviceswillstillbeavailablewhenthedryrunisbeingperformed. Here,the-doptioncanbeusedwheretheupgradeutilityitselftakesacopyoftheDIBandperforms theupgradeonthecopy.ds.nlmshouldbeunloadedwhilecopyingthedatabasetoensurethe integrityofthedatabase.Upgradewillrequiretwicethesizeofthedatabasesinceacopyneedstobe taken.
6.3.1
Common Problems Encountered during the Upgrade Process

ThefollowingFAQsectiondiscussesthecommonproblemsfacedwhileupgradingfromthe previousversionsofeDirectorytoeDirectory8.8.
Question: I am upgrading from eDirectory 8.7.x to eDirectory 8.8. The upgrade process failed with an error. My eDirectory 8.7.x server no longer comes up.
Answer:Whileupgradingfrom8.7.xtoeDirectory8.8,thedatabasegoesthroughatwophase upgrade.Inthefirstphase,akeypairiscreatedforencryptedattributessupportwhichwas introducedineDirectory8.8.Inthesecondphase,DIBupgradehappensforreferencechanges.Incase thesecondphasefailsafterthefirstphase,theexistingbinaries(eDirectory8.7.x)willnotbeableto openthedatabaseasdatabaseisalreadyupgradedto8.8levelandthedatabaseversionischangedto
98
reflectthat.Werecommendtakingabackupofthedatabasebeforeproceedingwithupgradingto eDirectory8.8.PleaserefertoSection 8.2,MigratingtoeDirectory8.8SP7WithoutUpgradingthe OperatingSystem,onpage 110forfurtherdetails.
Question: The upgrade process seems to be taking a lot of time.

Answer:Theupgradescanstheentiredatabaseandchecksforreferenceattributesonalltheobjects. Thisprocessmighttakeawhiledependingonthenumberoftheobjectsinthedatabase.Itmaytake hoursforadatabasewith5millionobjectswithreferenceattributesonalltheobjects.
Question: The upgrade process seems to be taking a lot of space in the storage.
Answer:Sincetheentirereferenceupgradehastobedoneinasingletransactionandtransaction rollbackisrequiredincasetheupgradefails,FLAIMkeepsthechangedblocksinitsnds.dbfile.Asa resultofthis,youmightobservethends.dbgrowingduringtheupgradeprocess.Thisisquite normal.Thefilemightspillovertonds.00v,nds.002,etc.Theupgradeprocesswillrequireasmuchas 100%ofexistingdiskspacedependingonthenumberofobjectstobeupgraded.Fore.g,aDIBsizeof 15Gigmightrequireanother15Gigfreespace,ifallobjectsintheDIBhasreferenceattributes.
Question: The eDirectory database upgrade proceeds even if I provide a wrong password and admin user.
Answer:eDirectorypackageupgradeanddatabaseupgradehappensbasedonyourfilesystem rights.TheeDirectoryadministratorpasswordwillnotbeusedforthis.Ithasasideeffectthatthe loginmightfailoncetheupgradebegins.Thenextattempttousethendsconfig upgradecommand willalwaysgothrough.
Question: I provided a wrong password for administrator. My upgrade failed, and I started the upgrade again with the correct password. The upgrade is again taking long time (as long as 1 hour for a 5 million objects with reference attributes on all) to bring up the initial display.
Answer:eDirectorymaintainsthereferenceattributesinaseparatecontainerinthedatabase.The delayintheinitialdisplayisduetothetimeittakesFLAIMtodeletethedatabasecontainerthat holdstheReferenceattributerecords.
99
100
Configuring Novell eDirectory on Linux, Solaris, or AIX Systems
NovelleDirectoryincludesconfigurationutilitiesthatsimplifytheconfigurationofvarious eDirectorycomponentsonLinux,Solaris,andAIXsystems.Thefollowingsectionsprovide informationaboutfunctionalityandusageofeDirectoryconfigurationcomponents: Section 7.1,ConfigurationUtilities,onpage 101 Section 7.2,ConfigurationParameters,onpage 103 Section 7.3,SecurityConsiderations,onpage 108
7.1
Configuration Utilities
ThissectionprovidesinformationaboutusingthefollowingeDirectoryconfigurationutilities: Section 7.1.1,ThendsconfigUtility,onpage 101 Section 7.1.2,UsingLDAPToolstoConfiguretheLDAPServerandLDAPGroupObjects,on page 102 Section 7.1.3,UsingthenmasinstUtilitytoConfigureNovellModularAuthenticationService, onpage 102 Section 7.1.4,UsingndsdinitScript,onpage 102
7.1.1
The ndsconfig Utility

YoucanusethendsconfigutilitytoconfigureeDirectory.Thisutilitycanalsobeusedtoaddthe eDirectoryReplicaServerintoanexistingtreeortocreateanewtree.Formoreinformation,see Section 1.6.4,UsingthendsconfigUtilitytoAddorRemovetheeDirectoryReplicaServer,on page 26. NOTE:EnsurethattheNCPservernameisuniqueinthenetwork. Tochangethecurrentconfigurationoftheinstalledcomponents,usethefollowingsyntax:
ndsconfig {set value_list | get [parameter_list] | get help [parameter_list]}
RefertoSection 7.2,ConfigurationParameters,onpage 103foradescriptionofndsconfig parameters. IMPORTANT:Afterinstallation,ensurethatyourunthendsconfigutilityfromtheinstalledlocation ontheserver,whichis/opt/novell/eDirectory/binbydefault.Donotrunndsconfigfromthe installationpackage.
101
7.1.2
Using LDAP Tools to Configure the LDAP Server and LDAP Group Objects
YoucanusetheLDAPtoolsincludedwitheDirectoryonLinux,Solaris,andAIXsystemstomodify, view,andrefreshtheattributesofLDAPServerandGroupobjects. Formoreinformation,seeUsingLDAPToolsonLinux,Solaris,orAIXintheNovelleDirectory8.8 SP7AdministrationGuide.
7.1.3
Using the nmasinst Utility to Configure Novell Modular Authentication Service

ForeDirectory8.8,bydefault,ndsconfigconfiguresNMAS.YoucanalsousenmasinstonLinux, Solaris,andAIXsystemstoconfigureNMAS. ndsconfigonlyconfiguresNMASanddoesnotinstalltheloginmethods.Toinstalltheselogin methods,youcanusenmasinst.Formoreinformation,seeUsingthenmasinstUtilitytoConfigure NMASonpage 37.
7.1.4
Using ndsd init Script

Thendsdinitscriptstartsthedaemonwhenthesystembootsup,withtheconfigurationparameters fromthedefaultconfigurationfile,/etc/opt/novell/eDirectory/conf/nds.conf. Beforeinvokingndsd,ensurethatanySLP(ServiceLocationProtocol)agentisrunningonthehost. YoucaninstallOpenSLP,anynativeSLPavailablewithyouroperatingsystem,orNovellSLP. Tostartndsd,enterthefollowing: ForLinuxandSolaris:/etc/init.d/ndsd start ForHPUX:/sbin/init.d/ndsd start Tostopndsd,enterthefollowing: ForLinuxandSolaris:/etc/init.d/ndsd stop ForHPUX:/sbin/init.d/ndsd stop Thefollowingshellscriptsarecreatedin/opt/novell/eDirectory/sbin: pre_ndsd_start post_ndsd_start pre_ndsd_stop post_ndsd_stop Asthenameindicates,thepre_ndsd_startscriptisexecutedbeforethendsdbinaryisstartedbythe /etc/init.d/ndsdscript.Thepost_ndsd_startscriptisexecutedafterthendsdbinaryisstarted bythe/etc/init.d/ndsdscript.Similarly,thepre_ndsd_stopandpost_ndsd_stopscriptsare executedbeforeandafterkillingthendsdprocess,respectively. Userscanaddcommandsoftheirchoicetothesescriptstogetthemexecuted.Bydefault,the
post_ndsd_startscripthascommandstoensurethat/etc/init.d/ndsdcomesoutafterensuring
thattheLDAPservicesareupandrunning.
102
7.2
Configuration Parameters
TheeDirectoryconfigurationparametersarestoredinthends.conffile. Whenconfigurationparametersarechanged,ndsdneedstoberestartedforthenewvaluetotake effect.Youshouldusendsmanagetorestartndsd. However,forsomeconfigurationparameters,ndsdneednotberestarted.Theseparametersarelisted below: n4u.nds.inactivity-synchronization-interval n4u.nds.synchronization-restrictions n4u.nds.janitor-interval n4u.nds.backlink-interval n4u.nds.drl-interval n4u.nds.flatcleaning-interval n4u.nds.server-state-up-thresholdn4u.nds.heartbeat-scheman4u.nds.heartbeatdata Thefollowingtableprovidesadescriptionofalltheconfigurationparameters.
Parameter Description The host name of the machine that hosts the eDirectory service. Default = null
n4u.nds.preferred-server
n4u.base.tree-name
The tree name that Account Management uses. This is a mandatory parameter set by the Account Management Installer. This parameter cannot be set. DClient can use UDP in addition to TCP for communicating with the eDirectory servers. This parameter enables the UDP transport feature. Default = 0 Range = 0, 1
n4u.base.dclient.use-udp
n4u.base.slp.max-wait
The Service Location Protocol (SLP) API calls timeout. Default = 30 Range = 3 to 100 This value is in seconds. This option is supported only by Novell SLP and not OpenSLP.
n4u.nds.advertise-life-time
eDirectory reregisters itself with the Directory Agent after this time period. Default = 3600 Range = 1 to 65535 This value is in seconds.
103
Parameter
Description Determines the level of enhanced security support. Increasing this value increases security, but decreases performance. Default = 1 Range = 0 to 3
n4u.server.signature-level
n4u.nds.dir
The eDirectory directory information database. Default:
/var/opt/novell/eDirectory/data/
This parameter cannot be set using the ndsconfig set command. You can manually change this parameter if you want to relocate your DIB. However, we do not recommend you do so.
n4u.nds.server-guid
A globally unique identifier for the eDirectory server. Default = null
n4u.nds.server-name
The name of the eDirectory Server. Default = null
n4u.nds.bindery-context
The Bindery context string. Default = null
n4u.nds.server-context n4u.nds.external-referencelife-span
The context that the eDirectory server is added to. This parameter cannot be set or changed. The number of hours unused external references are allowed to exist before being removed. Default = 192 Range = 1 to 384
n4u.nds.inactivitysynchronization-interval
The interval (in minutes) after which full synchronization of the replicas is performed, following a period of no change to the information held in the eDirectory on the server. Default = 60 Range = 2 to 1440
n4u.nds.synchronizationrestrictions
The Off value allows synchronization with any version of the eDirectory. The On value restricts synchronization to version numbers you specify as parameters. For example, ON,420,421. Default = Off
n4u.nds.janitor-interval
The interval (in minutes) after which the eDirectory Janitor process is executed. Default = 2 Range = 1 to 10080
104
Parameter
Description The interval (in minutes) after which the eDirectory backlink consistency is checked. Default = 780 Range = 2 to 10080
n4u.nds.backlink-interval
n4u.nds.drl-interval
The interval (in minutes) after which the eDirectory distributed reference link consistency is checked. Default = 780 Range = 2 to 10080
n4u.nds.flatcleaning-interval
The interval (in minutes) after which the flatcleaner process automatically begins purging and deleting entries from the database. Default = 720 Range = 1 to 720
n4u.nds.server-state-upthreshold
The server state up threshold, in minutes. This is the time after which the eDirectory checks the server state before returning -625 errors. Default = 30 Range = 1 to 720
n4u.nds.heartbeat-schema
The heartbeat base schema synchronization interval in minutes. Default = 240 Range = 2 to 1440
n4u.nds.heartbeat-data
The heartbeat synchronization interval in minutes. Default = 60 Range = 2 to 1440
n4u.nds.dofsync
Setting this parameter to 0 increases update performance significantly for large databases, but there is a risk of database corruption if the system crashes. The eDirectory configuration files are placed here. Default = /etc
n4u.server.configdir
n4u.server.vardir
The eDirectory and utilities log files are placed here. Default = /var/opt/novell/eDirectory/log
n4u.server.libdir
The eDirectory specific libraries are placed here in the nds-modules directory. Default = /opt/novell/eDirectory/lib
n4u.server.sid-caching
Enables SSL session ID caching. Refer to the SSL v3.0 RFC for more details about session ID caching in SSL.
105
Parameter
Description The default port used if the port number is not specified in the n4u.server.interfaces parameter. The IP address and port number that eDirectory server should listen on for client connections. The value can be a comma-separated list specifying more than one combination of possible settings. For example:
n4u.server.tcp-port n4u.server.interfaces
n4u.server.interfaces=101.1.2.3@524,100. 1.2.3@1524 n4u.server.max-interfaces

This parameter specifies maximum number of interfaces that eDirectory will use. Default = 128 Range = 1 to 2048
n4u.server.max-openfiles
This parameter specifies the maximum number of file descriptors that eDirectory can use. Default = maximum allowed by the administrator
n4u.server.max-threads
The maximum number of threads that will be started by the eDirectory server. This is the number of concurrent operations that can be done within the eDirectory server. Default = 64 Range = 32 to 512 Refer to the Novell eDirectory 8.8 SP7 Tuning Guide for UNIX* Platforms to set an optimum value.
n4u.server.idle-threads
The maximum number of idle threads that are allowed in the eDirectory server. Default = 8 Range = 1 to 128
n4u.server.start-threads
Initial number of threads to be started up. Default = 8
n4u.server.log-levels
This parameter helps to configure the error logging settings for the server-side messages. It sets the message log level to LogFatal, LogWarn, LogErr, LogInfo, or LogDbg. This parameter specifies the log file location where the messages would be logged. By default, the messages are logged into the ndsd.log file.
n4u.server.log-file
106
Parameter
Description Number of records that are sent from the Novell Import/ Export client to the LDAP server in a single LBURP packet. You can increase the transaction size to ensure that multiple add operations can be performed in a single request. Default = 25 Range = 1 to 250
n4u.ldap.lburp.transize
n4u.server.listen-on-loopback
It is a boolean parameter, and enabled by default. In a few recent Linux distributions, the hostname in the / etc/hosts file is associated with the loopback address. Though the common address given in the SLES systems is 127.0.0.2, it can be anything from 127.0.0.0 to 127.255.255.255 (valid loopback addresses). Comma-separated list of interfaces that HTTP server should use. Default IO buffer size.
http.server.interfaces http.server.request-io-buffersize http.server.request_timeoutseconds http.server.keep-timeoutseconds http.server.threads-perprocessor
Server request timeout.
Number of seconds to wait for the next request from the same client on the same connection. HTTP thread pool size per processor.
http.server.session-exp-seconds Session expiration time in seconds. http.server.sadmin-passwd http.server.module-base https.server.cached-cert-dn https.server.cached-server-dn http.server.trace-level http.server.auth-req-tls http.server.clear-port http.server.tls-port
Session administrator password. HTTP server webroot. HTTPS server cached certificate DN. HTTPS server cached DN. Diagnostic trace level of HTTP server. HTTP server authentication requires TLS. Server port for the HTTP protocol. Server port for the HTTPS protocol.
NOTE:FormoredetailsinformationontheeDirectoryconfigurationparameters,refertothe nds.confmanpage.
107
7.3
Security Considerations
Thefollowingsecurityconsiderationsarerecommended: Makesurethatonlyauthenticatedusershavebrowserightstothetree.Tolimitthis,dothe following: Removebrowserightsof[Public]ontreeroot. Assign[Root]browserightsontreeroot. SettheldapBindRestrictionsattributeontheLDAPserverobjecttoDisallow anonymous Simple Bind.Thispreventstheclientsfromdoinganonymousbinds. Bydefault,thecipherissettoExport.MakeLDAPmoresecurebysettingtheciphertoHIGH.To dothis,changethebindrestrictionsattributeoftheLDAPServerobjecttoUse Higher Cipher (greater than 128 bit).
108
Migrating to eDirectory 8.8 SP7
ThisdocumentguidesyoutomigrateyourNovelleDirectory8.7.3.xservertoeDirectory8.8SP7 whenyouhavetoupgradeyouroperatingsystemalso. WiththechangeintheoperatingsystemssupportedineDirectory8.8SP7,therearecertainversions thateDirectory8.8SP7doesnotsupportthatwereearliersupportedwitheDirectory8.7.3.x. TherearetwoscenarioswhilemigratingtoeDirectory8.8SP7: MigratingtoeDirectory8.8SP7whenplatformupgradeispossible Inthisscenario,youupgradeyouroperatingsystemtoasupportedversionandthenupgrade eDirectorytoeDirectory8.8SP7. MigratingtoeDirectory8.8SP7whenplatformupgradeisnotpossible Inthisscenario,youcannotupgradeyouroperatingsystemtoasupportedversionasthe operatingsystemmigrationpathisnotpossible.
8.1
Migrating to eDirectory 8.8 SP7 While Upgrading the Operating System

Inthisscenario,youcanmigratetoeDirectory8.8SP7afterupgradingtheoperatingsystem.The tablebelowdescribesthemigrationpath. IMPORTANT:EnsurethatyouhaveupgradedeDirectory8.7.3withthelatestsetofpatches.
Table 8-1 MigrationPath
Operating System Windows
Starting State Windows 2000 SP4 + eDirectory 8.7.3.x Windows 2003 SP2 + eDirectory 8.7.3.x
Intermediate State Windows 2003 SP2 + eDirectory 8.7.3.x Windows 2003 SP2 + eDirectory 8.8 SP7
Desired State Windows 2003 SP2 + eDirectory 8.8 SP7 Windows 2008 SP2 + eDirectory 8.8 SP7
Precautions: Before upgrading eDirectory on UNIX and Linux, ensure that the hostname is configured to a valid IP address and not to loopback address in /etc/hosts file. Linux SLES 9 + eDirectory 8.7.3.x RedHat AS 4.0 + eDirectory 8.8 SP2 SLES 10 + eDirectory 8.7.3.x SLES 10 + eDirectory 8.8 SP7 RedHat AS 5.3 + eDirectory 8.8 SP2 RedHat AS 5.3 + eDirectory 8.8 SP7
109
Operating System Solaris AIX
Starting State Solaris 9 + eDirectory 8.8 SP2
Intermediate State Solaris 10 + eDirectory 8.8 SP2
Desired State Solaris 10 + eDirectory 8.8 SP7
AIX 5.3 + eDirectory 8.8 SP6 AIX 6.1 + eDirectory 8.8 SP6 AIX 6.1 + eDirectory 8.8 SP7
Recommendations
1 BackupyoureDirectory8.7.3.xfilesbeforeupgradingtheoperatingsystem.StopeDirectoryand
backupthefollowingfiles: dibdirectory nds.rfldirectory(bydefaultthisdirectoryispresentunderthedibdirectory) nds.conffile nicidirectory logfiles

2 DonotperformanyoperationsontheintermediatestateotherthanupgradingeDirectory,ifthe
eDirectoryversionisnotsupportedonaparticularoperatingsystemintheintermediatestate. Forexample,eDirectory8.7.3.xonSolaris10.
8.2
Migrating to eDirectory 8.8 SP7 Without Upgrading the Operating System

Thismethodisusedinscenarioswherethereisnooperatingsystemupgradepathtosupported eDirectory8.8SP7version. Forexample,eDirectory8.7.3.xisinstalledonSLES9.AcustomerusingSLES9wantstoupgradeto eDirectory8.8SP7.eDirectory8.8SP7issupportedonSLES11andthereisnoupgradepathfrom SLES9toSLES11. CompletethefollowingstepstomigratetoeDirectory8.8SP7:
1 StoptheeDirectoryserver 2 TakeabackupofthefollowingeDirectory8.7.3.xfiles:
dibdirectory nds.rfl directory(bydefault,thisdirectoryispresentunderthedibdirectory) nds.conffile nicidirectory logfiles

3 Installtheoperatingsystem 4 Removethenicidirectoryfrom/var/novellandrestorethenicidirectoryto/var/opt/ novell 5 Ensurethat/var/novell/niciispointingto/var/opt/novell/nici 6 InstalleDirectory8.8SP7ontheserver(anewinstall) 7 Restorethedibandnds.rfldirectories 8 Restorethends.conftotheuserspecifiedlocation
110
9 Edit/etc/opt/novell/eDirectory/conf/.edir/instances.0andputtheabsolutepathto nds.conf file. 10 Editthends.conffileandaddthefollowing. n4u.nds.dir=_file_location n4u.server.libdir=/opt/novell/eDirectory/lib n4u.server.vardir=var_directory n4u.server.configdir=/etc/opt/novell/eDirectory/conf http.server.module-base=http_server_module_base_directory 11 Setthepathasfollows:
Use/opt/novell/eDirectory/bin/ndspathutility.
12 Runndsconfig upgradeaftersettingthepath.
111
112
Migrating eDirectory from NetWare to OES 2 Linux
eDirectorymigrationfromNetWarerequiresthemigrationofeDirectorydataandserveridentityto provideseamlessaccessibilityaftermigration.TheeDirectorymigrationutilityperformsallofthe premigrationtasks,healthvalidationsandserverbackups,servermigrationtasks,andpost migrationtasksforyou. ThefollowingsectionsgiveyoumoredetailsonthemigrationprocedureforeDirectory.Formore information,seetheNovellOpenEnterpriseServerMigrationWebsite(http://www.novell.com/ products/openenterpriseserver/migrate.html)andtheOES2SP3:UpgradingtoOESBestPractices Guide(http://www.novell.com/documentation/oes2/upgrade_to_oes_lx/data/front.html). Section 9.1,PlanningYourMigration,onpage 113 Section 9.2,MigrationTools,onpage 114 Section 9.3,MigrationProcedure,onpage 114 Section 9.4,AftertheMigration,onpage 116
9.1
Planning Your Migration

ThissectionliststheimportantrequirementsthatmustbeverifiedbeforeattemptingeDirectory migration. Section 9.1.1,SystemRequirements,onpage 113 Section 9.1.2,Prerequisites,onpage 113 Section 9.1.3,SupportedPlatforms,onpage 114
9.1.1
System Requirements
ThetargetservermustrunOES2andshouldhavetheeDirectory8.8SP7RPMsalready
installed.
IfthetargetOES2serverhasadefaulteDirectory8.8SP7instancealreadyconfigured,this
instanceshouldbeactive.Thisinstancewillbeoverwrittenafterthemigration.
OES2doesnotsupportmultipleinstancesofeDirectoryonthesameserver,soanynondefault
instancesshouldnotberunningduringmigration.
ThesourceNetWareservershouldberunningandshouldnotbepartofanypartitionoperation.
9.1.2
Prerequisites
TheeDirectorymigrationutilitywillrunonlyonthetargetserverandmustbeabletoaccessthe
NetWareserverremotely.
113
9.1.3
Supported Platforms
TheeDirectorymigrationutilityisdesignedtorunontheLinuxversionofOES2,whichisthetarget platformformigration.ThefollowingtableliststhecompatibleeDirectoryversionsatsourceandthe correspondingtargetservers:
Table 9-1 eDirectoryVersionsatSourceandTargetServers
Source Server NetWare 5.1 SP8 + eDirectory 8.7.3.6 NetWare 5.1 SP8 + eDirectory 8.7.3.7 NetWare 6.5 SP6 + eDirectory 8.7.3.9 NetWare 6.5 SP6 + eDirectory 8.8 NetWare 6.5 SP6 + eDirectory 8.8 SP1 NetWare 6.5 SP6 + eDirectory 8.8 SP3
Target Server Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64
9.1.4
Considerations
IPaddressandDNSmigrationsarenotperformedbythismigrationutility. OnlytheeDirectoryinstancewillbemigrated.ApplicationsdependingoneDirectorywillnotbe migrated. Youshouldnotusethismigrationmethodologyifyouwantboththeserverstobeavailable duringthemigrationoperation. NOTE:Onlythetargetserverwillbeavailableafterthemigration.Thesourceserverwillbe locked.OtherservicemigrationscannotbeperformedaftercompletingeDirectorymigration.
9.2
Migration Tools
TheeDirectorymigrationisperformedindependentlyoftheOESmigrationframework.The completemigrationtaskisperformedbyinvokingthemigedircommandlineutility.
9.3
Migration Procedure
1 Runthemigedirutilitybyenteringthefollowingcommandonthetargetserver: migedir -s <IP address> [-A <log directory name>] [-t] [-v] [-h]
Theutilitytakesthefollowingcommandlineoptions:
Option Description Specifies the IP address of the source server containing the eDirectory instance to be migrated. IMPORTANT: -s is a mandatory parameter.
-s
IP address
114
Option
Description Enables auditing. directory name specifies the directory in which log files should be created. Tests the validity of the input parameters. NOTE: This option verifies the IP address. However, it does not perform the actual migration.
-A directory name -t
-v -h
Enables the verbose mode. Prints help about using this utility.
2 Followtheonscreeninstructionsastheutilityperformsthemigration.
Themigrationutilitydoessomepremigrationchecks,performsthemigration,thendoessome postmigrationtasks. Premigrationonpage 115 Migrationonpage 115 Postmigrationonpage 115 HandlingFailuresonpage 116
Pre-migration
Theutilityperformsthefollowingchecks: Thehealthandstateofthereplicasintheringareverified. Configurationinformationfortheserverbeingmigratediscollectedandwrittentoa configurationfiletobeusedbyotheroperationsduringthemigration. Timesynchronizationisverifiedbetweenthesourceandtargetservers. ThetargetserverischeckedforanyexistingeDirectoryinstances. Iftheinstanceexists,theuserispromptedandtheexistinginstanceisremovedbefore proceedingwiththemigration. Iftheinstancedoesntexist,anewinstanceisconfiguredandused.
Migration
TheutilityperformsthemigrationoftheeDirectoryinstancefromthecollectedconfiguration information.Thisinvolvesbackingupthesourceserverdata,lockingtheeDirectoryinstanceinthe sourceserver,migratingdatatothetargetserver,andrestoringtheeDirectoryinstanceonthetarget server.ThedependentNICIfilesarealsomigrated. Theutilityalsoconfiguresthelocalinstanceinthetargetserverwiththesourceserverdetails obtainedduringthepreviouschecks.
Post-migration
Aftermigration,thefollowingtasksareperformedbytheutility: Thends.confconfigurationfileismodifiedwiththesourceservereDirectoryinstance information,suchastreenameandservername.
115
TheeDirectoryinstanceinthetargetserverisrestartedsoitcanusethenewdata. NetworkaddressrepairisperformedtostartthesynchronizationofthenewIPaddressinthe replicaring.
Handling Failures
Duringmigration,thedatabaseinthesourceserverislockedtoavoidmultiplecopiesoftheinstance runningonthesourceandtargetservers.Multiplecopiesofthesameinstancecanleadtodata inconsistency.Iftheprocessfailsandifyouintendtobringupthesourceserveragain,youneedto performthefollowingtasks:
1 RemovethepartiallymigratedeDirectoryinstanceonthetargetserver.
FormoreinformationonhowtoremovetheeDirectoryinstancefromaserver,seeSection 1.6.4, UsingthendsconfigUtilitytoAddorRemovetheeDirectoryReplicaServer,onpage 26.

2 Restoreandunlockthedatabaseinthesourceserver.
Formoreinformationonhowtounlockandrestorethedatabase,seeUsingtheeMBoxClient forBackupandRestoreintheNovelleDirectory8.8SP7AdministrationGuide. Thedatabasebackupissavedinthesys:ni/datafolder.
9.4
After the Migration

Aftermigration,thetargeteDirectoryinstancelistensontheIPaddressofthetargetserverandnot onthesourceserversaddress.ItrequiresadditionaltimeaftermigrationfortheeDirectoryinstance tosynchronizethenewIPaddressinthereplicaring.SuccessfuleDirectorymigrationcanbeverified byperformingeDirectoryoperationsonthenewIPaddress. IMPORTANT:Ifyouwanttousetheexistingsecuritycertificates,youmustchangetheIPaddressof thetargetservertothatofthesourceserver.Ifyoudontwanttodothis,youmustissuenew certificates. NOTE:IfyouchangetheIPaddressofthetargetserveraftermigration,youmustmodifythe nds.conffile,restarttheeDirectoryinstance,andrepairthenetworkaddressandpartitionsreplica manually.FormoreinformationonrepairingeDirectoryinstance,refertoDSRepairOptionsinthe NovelleDirectory8.8SP7AdministrationGuide.
116
10
10
Deploying eDirectory on High Availability Clusters
TheprimarymethodthroughwhichNovelleDirectorysupportshighavailabilityisbyconfiguring multipleserversthroughsynchronization.However,clusteringmaybeamoreviablealternativefor achievinghighavailabilityinsomeenvironments. ThissectionprovidesguidelinesforconfiguringeDirectoryonhighavailabilityclustersbyusing sharedstorage.Theinformationinthissectionisgeneralizedforsharedstoragehighavailability clustersonsupportedWindowsandLinuxplatforms,andtheinformationisnotspecifictoa particularclustermanager. StatedataforeDirectorymustbelocatedonthesharedstoragesothatitisavailabletothecluster nodethatiscurrentlyrunningtheservices.ThismeansthattheeDirectoryDIBmustbelocatedon theclustersharedstorage.TherooteDirectoryinstanceoneachoftheclusternodesmustbe configuredtousetheDIBonthesharedstorage. InadditiontotheDIB,itisalsonecessarytoshareNICI(NovellInternationalCryptographic Infrastructure)datasothatserverspecifickeysarereplicatedamongtheclusternodes.NICIdata usedbyallclusternodesmustbelocatedontheclustersharedstorage. OthereDirectoryconfigurationandlogdatashouldalsoresideonsharedstorage. eDirectory8.8SP7includesautilityforbothLinuxandWindowsserversthatautomatically configureseDirectoryinyourclusteredenvironment,includingcopyingdatatoaspecifiedshared storagelocation,updatingtheappropriateconfigurationparameters,andsettingupeDirectory servicesonclusternodesotherthantheprimarynode. Theproceduresinthefollowingsectionsarebasedonthefollowingassumptions: YouarefamiliarwitheDirectoryinstallationprocedures. Youareusingatwonodecluster. NOTE:Atwonodeclusteristheminimumconfigurationusedforhighavailability.However, theconceptsinthissectioncaneasilybeextendedtoaclusterwithadditionalnodes.Notethat eDirectorydoesnotsupportloadbalancingbyusingmultipleclusternodes. Thissectioncoversthefollowingtopics: Section 10.1,ClusteringeDirectoryServicesonLinux,onpage 118 Section 10.2,ClusteringeDirectoryServicesonWindows,onpage 120 Section 10.3,TroubleshootingClusteredEnvironments,onpage 123 Section 10.4,ConfigurationUtilityOptions,onpage 123
117
10.1
Clustering eDirectory Services on Linux

ThissectiondescribeshowtoconfigureeDirectory8.8byusinghighavailabilityclusteringonLinux. Section 10.1.1,Prerequisites,onpage 118 Section 10.1.2,InstallingandConfiguringeDirectory,onpage 118 Section 10.1.3,ConfiguringSNMPServerinClusteredLinuxEnvironments,onpage 120
10.1.1
Prerequisites
TwoormoreLinuxserverswithclusteringsoftware Externalsharedstoragesupportedbytheclustersoftware,withsufficientdiskspacetostoreall eDirectoryandNICIdata VirtualIPaddress NovelleDirectory8.8SP7orlater NOTE:ThendsclusterconfigutilityonlysupportsconfiguringtherooteDirectoryinstance. eDirectorydoesnotsupportconfiguringmultipleinstancesandnonrootinstallationsof eDirectoryinaclusterenvironment.
10.1.2
Installing and Configuring eDirectory

1 InstallandconfigureeDirectoryontheserveryouwanttouseastheprimaryclusternode.For
moreinformationoninstallationandconfigurationprocedures,refertotheSection 1.6.2,Using thendsinstallUtilitytoInstalleDirectoryComponents,onpage 20. NOTE WhenconfiguringeDirectory,thedefaultNCPservernameisthehostservernameofthe computeronwhichyouinstalledeDirectory.BecauseeDirectoryishostedonmultiplehosts inaclusteredenvironment,however,youshouldspecifyanNCPservernamethatis uniquetotheclusterinsteadofusingthedefaultname.Forexample,youcanspecifythe nameclusterserverfortheNCPserverwhenyouconfigureeDirectoryontheprimary clusternode. Duringtheconfigurationprocess,ensureyousetthevirtualIPaddressforyoureDirectory installation.Inaclusteredenvironment,eDirectoryonlylistensonthevirtualIPaddress, notonthesystemIPaddress.
2 AfteryouinstallandconfigureeDirectory,navigatetothends.conffile,whichislocatedinthe /etc/opt/novell/eDirectory/conf. 3 Editthends.conffiletosetthevalueofthen4u.nds.preferred-serversettingtothevirtual
IPaddressoftheclusteredinstallation,thensaveandclosethefile.
4 VerifytheeDirectoryinstallationbyusingthendsstatcommand.
eDirectorymustbeupandrunningontheprimaryclusternode.
5 Mountthesharedfilesystembyusingtheclustermanager. 6 Backupalldatainthefollowingdirectoriesbeforerunningtheconfigurationutility:
/var/opt/novell/nici /var/opt/novell/eDirectory/data(n4u.server.vardir) /var/opt/novell/eDirectory/data/(n4u.nds.dir)
118
/etc/opt/novell/eDirectory/conf(n4u.server.configdir) /var/opt/novell/eDirectory/log NOTE:IfyouinstalleDirectoryinanondefaultlocation,youcanusethendsconfig get commandtofindthevardir,dirpathsusedinyourinstallation.nds.confshouldbeinthe defaultlocation,whichis/etc/opt/novell/eDirectory/conf/nds.conf.

7 Ontheprimaryclusternodeserver,openaterminalandrunthefollowingcommandtostopthe
eDirectoryservice:
ndsmanage stopall 8 Intheterminal,navigatetothelocationoftheconfigurationutility,nds-cluster-config.The utilityislocatedinthe/opt/novell/eDirectory/bindirectory. 9 Runthefollowingcommand: nds-cluster-config -s /<sharedfilesystem>
Where<sharedfilesystem>isthelocationyouwanttousefortheeDirectorysharedcluster data. NOTE:Youcanalsoruntheutilityinunattendedmodebyusingthe-uoption.Ifyouusethis option,theutilitydoesnotaskforconfirmationwhenconfiguringeDirectoryonacluster. Ifyouusetheunattendedoption,youmustalsousethe-soptionandspecifythesharedcluster filesystem.

10 Aftertheutilityverifiestheclustersharedstorageisvalid,clickytocontinuewithconfiguration
onthecluster. Theconfigurationutilitymovesthedatainthedirectoriesabovetothefollowinglocationson thesharedfilesystem: <sharedfilesystem>/nici <sharedfilesystem>/data <sharedfilesystem>/data/ <sharedfilesystem>/conf <sharedfilesystem>/log

11 StarteDirectoryservicesbyrunningthefollowingcommand: ndsmanage startall 12 CheckthestatusofeDirectorybyusingndsstat.eDirectoryservicesshouldbeupandrunning. 13 StopeDirectoryservicesbyrunningthefollowingcommand: ndsmanage stopall 14 Logintotheserveryouwanttouseasthesecondarynodeofthecluster. 15 Usetheclustermanagertomovethesharedstoragetothesecondarynode. 16 InstallthesameversionofeDirectoryonthesecondaryclusternodethatyouinstalledonthe
primaryclusternode,butdonotconfigureeDirectory.
17 Intheterminal,navigatetothelocationoftheconfigurationutilityonthesecondarynode.The utilityislocatedinthe/opt/novell/eDirectory/bindirectory. 18 Openaterminalandrunthefollowingcommand: nds-cluster-config -s /<sharedfilesystem>
119
Where<sharedfilesystem>istheclustersharedstorage.Thepathofthe<sharedfilesystem> shouldbesameasthepathlocationspecifiedwhentheprimarynodewasconfigured. ThendsclusterconfigutilitylinksthesecondaryclusternodetothesharedeDirectorydata locatedonthesharedclusterfilesystem.

19 StarteDirectoryservicesbyrunningthefollowingcommand: ndsmanage startall
VerifythestatusofeDirectorybyusingthendsstatcommand.
20 StopeDirectoryservicesonthesecondarynodebyrunningthendsmanage stopallcommand. 21 AftersuccessfullyconfiguringeDirectoryonbothnodesofthecluster,youmustalsochangethe
startupmodeofthendsdserviceoneachnodebyusingthefollowingcommand:
chkconfig -d ndsd 22 Aftertheconfigurationutilityfinishesconfiguringthesecondarynode,youcanusethecluster
managertoaddtheeDirectoryservicesinthecluster. IMPORTANT:Ideally,theclustermanagerchecksthatthesameDIBisnotaccessedbytwoormore nodessimultaneously.However,youmustensurethatndsddoesnotrunfromtwoormorecluster nodessimultaneously.ThisisbecauseaccessingthesameDIBthroughtwoormorenodesleadsto DIBcorruption.
10.1.3
Configuring SNMP Server in Clustered Linux Environments

1 Onallthenodes,modifythesnmpd.conffile.Formoreinformation,seeInstallingand
ConfiguringSNMPServicesforeDirectoryintheNovelleDirectory8.8SP7AdministrationGuide.
2 Startndssnmpsa. 3 SelectYesastheRemember passwordoption. 4 Tostartthesnmpservice,performeitherofthefollowing:
Add/etc/init.d/ndssnmpsa starttothepost_ndsd_startscriptand/etc/init.d/ ndssnmpsa stoptothepre_ndsd_stopscript. AddndssnmpsaasaclusterresourcewithadependencyoneDirectoryresource. NOTE:BecauseeDirectoryislisteningonavirtualIPaddress,trapshavetheIPaddressofthehost, whichistheAgentIPaddress.
10.2
Clustering eDirectory Services on Windows

ThissectiondescribeshowtoconfigureeDirectory8.8byusinghighavailabilityclusteringon Windows. Section 10.2.1,Prerequisites,onpage 120 Section 10.2.2,InstallingandConfiguringeDirectory,onpage 121 Section 10.2.3,ConfiguringSNMPServerinClusteredWindowsEnvironments,onpage 122
10.2.1
Prerequisites
TwoormoreWindowsserverswithclusteringsoftware
120
Externalsharedstoragesupportedbytheclustersoftware VirtualIPaddress NovelleDirectory8.8SP7orlater
10.2.2
Installing and Configuring eDirectory

1 InstallandconfigureeDirectoryontheserveryouwanttouseastheprimaryclusternode.For
moreinformationoninstallationandconfigurationprocedures,refertotheSection 4.6.1, InstallingorUpdatingNovelleDirectory8.8onaWindowsServer,onpage 75.

2 Mountthesharedvolumebyusingtheclustermanager. 3 BackupallDIBfilesandNICIdatabeforerunningtheconfigurationutility. 4 Ontheprimaryclusternode,openaterminalandnavigatetotheNDSCons.exeutility.The utilityislocatedinthe<eDirectory installation folder>folderbydefault. 5 Intheterminal,runthefollowingcommand: NDSCons.exe 6 IntheNDSConsutility,clickShutdowntostopalleDirectoryservices. 7 ClickYestoconfirm. 8 Intheterminal,navigatetothelocationoftheconfigurationutility,dsclusterconfig.exe.The
utilityislocatedinthe<eDirectoryinstallationfolder>folderbydefault.
9 Runthefollowingcommand: dsclusterconfig.exe -s /<sharedfilesystem>
Where<sharedfilesystem>isthelocationyouwanttousefortheeDirectorysharedcluster data. NOTE Youcanalsoruntheutilityinunattendedmodebyusingswith-uoption. Youmustspecifyafolderwithinashareddrivemountedontheprimaryclusternode.You cannotspecifyonlyadrivename.Forexample,insteadofspecifyingE:,youmustspecify E:\Novell.

10 Aftertheutilityverifiestheclustersharedstorageisvalid,clickytocontinuewithconfiguration
onthecluster. Theconfigurationutilitymovesthedatainthedirectoriesabovetothefollowinglocationson thesharedfilesystem: <sharedfilesystem>/nici <sharedfilesystem>/Files InadditiontomovingeDirectorydatatothesharedfilesystem,theutilitycopiestheeDirectory serviceregistrykeytothesharedvolume,savingthekeyasthefilendsConfigKey. TheutilityalsochangestheStartupTypeoftheNDS Serverserviceontheprimarynode computerfromAutomatictoManual.
11 IntheNDSConsutility,clickStartuptostartalleDirectoryservices. 12 VerifythatalleDirectoryservicesarerunning,thenusetheNDSConsutilitytostopservices
again.
13 ClosetheNDSConsutility. 14 Logintotheserveryouwanttouseasthesecondarynodeofthecluster.
121
15 Usetheclustermanagertomovethesharedstoragetothesecondarynode. 16 UsetheeDirectoryinstallertoperformanunattendedinstallationofeDirectoryonthe secondarynode.Ensurethatthemodeofinstallationisinstall. 17 Intheterminal,navigatetothelocationoftheconfigurationutilityonthesecondarynode.The
utilityislocatedintheeDirectoryinstallationfolderbydefault.
18 Runthefollowingcommand: dsclusterconfig.exe -s /<sharedfilesystem>
Where<sharedfilesystem>istheclustersharedstorage.Thepathofthe<sharedfilesystem> shouldbesameasthepathlocationspecifiedwhentheprimarynodewasconfigured.
19 Thedsclusterconfigutilityupdatesregistryonthesecondaryclusternodetotheshared
eDirectorydatalocatedonthesharedclusterfilesystem.
20 Aftertheconfigurationutilityfinishesconfiguringthesecondarynode,opentheNDSCons
utility.
21 IntheNDSConsutility,clickStartup. 22 ClickYestoconfirm. 23 WhenNDSConsstartsalleDirectoryservices,verifyeDirectory,thenclickShutdown. 24 ClickYestoconfirm. 25 ToconfigureeDirectoryintheClusterResourcegroup,createanewresourceintheResource
GrouptobeusedforeDirectory. Youmustprovidethefollowingdetails: ResourcetypeGenericService DependentonIPaddressandshareddiskintheResourceGroup ServicenameNDS Server0 Nostartparameters RegistrykeysSYSTEM\CurrentControlSet\Services\NDS Server0 NOTE:Ideally,theclustermanagerchecksthatthesameDIBisnotaccessedbytwoormorenodes simultaneously.However,youmustensurethatndsddoesnotrunfromtwoormoreclusternodes simultaneously.ThisisbecauseaccessingthesameDIBthroughtwoormorenodesleadstoDIB corruption.
10.2.3
Configuring SNMP Server in Clustered Windows Environments

1 Ontheprimaryclusternode,configurethemasteragentandsetthestartuptypetoautomatic.
Formoreinformation,seeInstallingandConfiguringSNMPServicesforeDirectoryinthe NovelleDirectory8.8SP7AdministrationGuide.
2 SavetheeDirectorypasswordwhenitpromptsforthepassword. 3 Startthesubagent. 4 PerformStep 1toStep 3ontheothernodes.
122
10.3
10.3.1
Troubleshooting Clustered Environments

Repairing or Upgrading eDirectory on Clustered Nodes
Whileyouperformarepairorupgradeonanyoftheclusternodes,theotherclusternodesmustbe pausedoronstandbytoensurethatautomaticfailoverdoesnotoccur.
10.3.2
Creating Windows Registry Keys

AspartoftheconfigurationprocessinclusteredWindowsenvironments,theconfigurationutility automaticallycreatesaregistrykey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDS Server0\ImagePath,onthe clustersharedfilesystem.eDirectoryneedstheregistrykeyinordertostartthex86 NDS Server serviceontheclusternodes. Iftheutilitycannotcreatetheregistrykeyandreturnsanerrormessageduringconfiguration,you mustusetheRegistryEditortomanuallycreatetheregistrykeyonallclusternodes,evenifthe configurationutilityappearstohavesuccessfullycompletedtheconfiguration. Createthefollowingregistrykeyonallnodes:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDS Server0\ImagePath
AssignthefollowingvaluetotheImagePathkey:
"<primarynodeinstallfolder>\NDS\ndsserv.exe" /DataDir="<sharedstorage>\Files" ds
Where<primarynodeinstallfolder>isthefolderwhereyouinstalledeDirectoryontheprimary nodeand<sharedstorage>isthepathtothesharedfilesystemlocation.
10.4
Configuration Utility Options

Theoptionsavailableforuseintheconfigurationutilityareasfollows:
<configuration utility> [-h] [-u] [-s /<sharedfilesystem>]
Where<configuration utility>iseithernds-cluster-configordsclusterconfig.exe, dependingontheplatform,and<sharedfilesystem>isthelocationyouwanttouseforthe eDirectorysharedclusterdata.

Parameter Description Displays the configuration utility help. Specifies the shared directory path for the cluster. Enables the utility to configure eDirectory on the cluster in unattended mode. If you run the utility by using the -u option, you must also use the -s option and specify the shared directory path. For example:
-h -s -u
nds-cluster-config -u -s <sharedfilesystem>
123
124
11
Uninstalling Novell eDirectory
Thischaptercontainsthefollowinginformation: Section 11.1,UninstallingeDirectoryonWindows,onpage 125 Section 11.2,UninstallingeDirectoryonLinux,Solaris,orAIX,onpage 129 Section 11.3,UnattendedUninstallationofeDirectoryonUNIX,onpage 130 Section 11.4,CaveatsforUninstallingeDirectory,onpage 131
11.1
Uninstalling eDirectory on Windows

UsetheWindowsControlPaneltoremoveeDirectory,ConsoleOne,SLPDA,andNICIfrom Windowsservers. IMPORTANT:RemovingeDirectoryalsoremovestherollforwardlogdirectoryandallthelogsinit. IfyouwanttobeabletousethelogsforrestoringeDirectoryonthisserverinthefuture,before removingeDirectoryyoumustfirstcopytherollforwardlogstoanotherlocation.Forinformation aboutrollforwardlogs,seeUsingRollForwardLogsintheNovelleDirectory8.8SP7Administration Guide. Section 11.1.1,UninstallingeDirectory,ConsoleOne,andSLPDA,onpage 125 Section 11.1.2,UnattendedUninstallationofeDirectory,onpage 126 Section 11.1.3,UninstallingNICI,onpage 129 Section 11.1.4,UninstallingMicrosoftVisualC++2005RuntimeLibraries,onpage 129 NOTE:TheHTMLfilescreatedusingiMonitorarenotremoved.Youmustmanuallyremovethese filesfrom<install directory>\novell\NDS\ndsimon\dsreportsbeforeremovingeDirectory.
11.1.1
Uninstalling eDirectory, ConsoleOne, and SLP DA

1 OntheWindowsserverwhereeDirectoryisinstalled,clickStart>Settings>ControlPanel>Add/
RemovePrograms.
2 SelecteDirectory,ConsoleOne,ortheSLPDirectoryAgentfromthelist,thenclickAdd/Remove. 3 ConfirmthatyouwanttoremoveyourselectionbyclickingYes.
TheInstallationWizardremovestheprogramfromtheserver.
125
11.1.2
Unattended Uninstallation of eDirectory

OnWindows,theunattendeduninstallationofeDirectoryusespredefinedtextfilesthatfacilitatethe unattendeduninstallation.Youcanperformthefollowingactionsbyusingtheunattended uninstallationmodeofeDirectory: DeconfigurationoftheinstalledeDirectory. StandaloneuninstallationofeDirectory. BothuninstallationanddeconfigurationofeDirectory. ThefollowingsectionsdiscussvariousfeaturesofunattendedeDirectoryuninstallation: ResponseFilesonpage 126 remove.rspFileSectionsandKeysonpage 126 AddFeaturestotheAutomatedUninstallationonpage 127 RemoveConfigurationFileChangesonpage 128 UnattendedUninstallationofeDirectoryusingResponseFileonpage 128
Response Files
UninstallingeDirectoryonWindowsoperatingsystemcanbemadesilentandmoreflexiblebyusing aresponsefile(remove.rsp)tocompletethefollowingtasks: Completeunattendeduninstallationwithallrequireduserinputs Defaultconfigurationofcomponents Bypassallpromptsduringtheinstallation Aresponsefileisatextfilecontainingsectionsandkeys,similartoaWindows.inifile.Youcancreate andeditaresponsefilebyusinganyASCIItexteditor.TheeDirectoryreadstheuninstallation parametersdirectlyfromtheresponsefileandreplacesthedefaultuninstallationvalueswith responsefilevalues.Theuninstallationprogramacceptsthevaluesfromtheresponsefileand continuestouninstallwithoutprompts.
remove.rsp File Sections and Keys

TheeDirectoryuninstallationrequireschangestothesectionsintheresponsefiletoaddinformation aboutincludingthetreename,administratorcontext,administratorcredentials(includingusername andpasswords),etc.Afulllistofthekeysandtheirdefaultvaluesisavailableinthesample remove.rspfilethatisdeliveredwiththeeDirectoryinstallation. NOTE:Youshouldusetheprovidedremove.rspfileavailableat eDirectory\nt\i386\NDSonNT\remove.rsp(for32bit)and eDirectory\windows\x64\NDSonNT\remove.rsp(for64.bit)intheeDirectoryinstallation.Essential parametersaresetbydefaultinthisfile.Wheneditingtheremove.rsp file,ensuretherearenoblank spacesbetweenthekeyandthevaluesalongwiththeequalssign(=)ineachkeyvaluepair. Youprovidetheadministratorusercredentialsintheremove.rspfileforanunattended uninstallation.Therefore,youmustpermanentlydeletethefileaftertheuninstallationtopreventthe administratorcredentialsfrombeingcompromised.
126
Add Features to the Automated Uninstallation

MostdetailsforconfiguringtheeDirectoryUninstallerhavedefaultsettingforthemanual uninstallation.However,duringunattendeduninstallation,eachconfigurationparametermustbe explicitlyconfigured.Thissectiondiscussesthebasicsettingstobeunconfigured.
eDirectory Server Details

ThedetailsoftheserverbeinguninstalledmustbeprovidedtotheUninstaller.Mostofthis informationisconfiguredinthreetags,[Novell:NDSforNT:1.0.0], [Initialization],and [Selected Nodes]. Takeallthevaluesmentionedin[Initialization]and [Selected Nodes]inremove.rspasit theyare.
[Novell:NDSforNT:1.0.0]
TreeName:Thenameofthetreefromwhichtheserverwillbeuninstalled. AdminLoginName:Thename(RDN)oftheAdministratorobjectinthetreethathasfullrights,at leasttothecontexttowhichthisserverisadded.Alloperationsinthetreewillbeperformedasthis user. AdminContext:Anyuseraddedtoatreehasauserobjectthatcontainsalltheuserspecificdetails. ThisparameteristhecontainerobjectinthetreetowhichtheAdministratorobjectwillbeadded.For primaryserverinstallations,thiscontainerwillbecreatedwiththeserverobject. AdminPassword:ThepasswordfortheAdministratorobjectcreatedinthepreviousparameters. ThispasswordwillbeconfiguredtotheAdministratorobjectduringprimaryserverinstallations.For secondaryserverinstallations,thisneedstobethepasswordoftheAdministratorobjectinthe primaryserverthathasrightstothecontexttowhichthenewserverisadded. NDSLocation:TheeDirectoryinstalllocationinthelocalsystemwherethelibrariesandbinariesare copied.Bydefault,eDirectoryisinstalledintoC:\Novell\NDSunlessitischangedintheresponse file. DataDir:UntileDirectoryversion8.8,theDIBwasinstalledinsidetheNDSlocationasasubfolder. Later,administratorsweregiventheoptiontoprovideadifferentDIBlocation,becausetheremight betoomuchdatastoredintheDIBtofitintotheNDSlocation.Currently,bydefaulttheDIBis installedintheFilessubfolderinsidetheNDSlocation,butadministratorscanchangethis parameterandprovideadifferentlocation mode:ThetypeofsetuponeDirectory.Thethreetypesofsetupare: deconfigure:PerformsthedeconfigurationofeDirectory. uninstall:PerformsuninstallationofeDirectory. full:PerformsbothdeconfigurationanduninstallationofeDirectory. NOTE:Ifyouoptforthefullsetupmodeduringunattendedinstall,thenwhileuninstalling eDirectoryyoucannotoptforindividualdeconfigurationanduninstallationoption. ConfigurationMode:Ifthesetupmentionedinthemodekeyisdeconfigure,thenensurethatyoudo notchangetheRestrictNodeRemovevalueoftheConfigurationModekey Prompt:Thetypeoftheuninstallationmodeshouldbementionedinthisvariable.Itwillbesetby defaulttosilentforunattendeduninstallation.Ifanyvalueotherthansilentissetthenitwilldo normaluninstallation
127
Thefollowingisasampleoftextintheresponsefileforallthebasicparametersdescribedabove:
[Novell:NDSforNT:1.0.0] Tree Name=SILENTCORP-TREE Admin Context=Novell Admin Login Name=Admin Admin Password=novell prompt=silent
Remove Configuration File Changes

Intheremove.cfgfileresidingin<Windows Install Drive>\Program Files\Common Files\novell\ni\bin,change
[PARAMETERS]0/OUTPUT_TO_FILE
to
[PARAMETERS]0/OUTPUT_TO_FILE /SILENT
Unattended Uninstallation of eDirectory using Response File

Copytheaboveeditedfileremove.rspinto<Windows Install Drive>\Program Files\Common
Files\novell\ni\data.
Theinstall.exeinstalledintheeDirectoryisinvokedinthecommandlinewithafewadditional parameters.Dependingontherequiredsetup,youmustuseeitherofthefollowingcommands:
Deconfigure
<Windows Installed Drive>\Program Files\Common Files\novell\ni\bin>install.exe remove /restrictnoderemove /nopleasewait ..\data\ip.db ..\data\remove.rsp Novell:NDSForNT:1.0.0 0 NDSonNT
Uninstall
1 Renametheip.dbfilepresentinthe<Windows Drive>\Program Files\Common Files\novell\ni\datadirectorytoanothername. 2 Copytheip_conf.dbfileinthe<Windows Drive>\Program Files\Common Files\novell\ni\datafoldertoip.db. 3 Runthefollowingcommand: <Windows Installed Drive>\Program Files\Common Files\novell\ni\bin>install.exe -remove /nopleasewait ..\data\ip.db ..\data\remove.rsp Novell:NDSForNT:1.0.0 0 NDSonNT
Deconfiguration and Uninstallation of eDirectory

<Windows Installed Drive>\Program Files\Common Files\novell\ni\bin>install.exe remove /nopleasewait ..\data\ip.db ..\data\remove.rsp Novell:NDSForNT:1.0.0 0 NDSonNT
128
AfterperforminganuninstallationofeDirectoryorcombinationsetup,deletethefollowingfolders: C:\Novell\NDS(defaultlocation,orelsefromtheeDirectoryinstalleddirectory) C:\Novell\NDS\Files(defaultlocation,orelsefromtheeDirectoryDIBlocation) <Windows Installed Drive>:\Program Files\Common Files\Novell\ni <Windows Installed Drive>:\Windows\system32\NDScpa.cpl
11.1.3
Uninstalling NICI
1 OntheWindowsserverwhereeDirectoryisinstalled,clickStart>Settings>ControlPanel>Add/
RemovePrograms.
2 SelectNICIfromthelist,thenclickAdd/Remove. 3 ConfirmthatyouwanttoremoveNICIbyclickingYes.
TheInstallationWizardremovesNICIfromtheserver. AfteruninstallingNICI,ifyouwanttocompletelyremoveNICIfromyoursystem,deletethe
C:\Windows\system32\novell\nici(32bit)andC:\Windows\SysWOW64\novell\nici(64bit)
subdirectory.Youmightneedtotakeownershipofsomeofthefilesanddirectoriestodeletethem. WARNING:Afterthenicisubdirectoryhasbeenremoved,anydataorinformationthatwas previouslyencryptedwithNICIwillbelost.
11.1.4
Uninstalling Microsoft Visual C++ 2005 Runtime Libraries

IfMicrosoftVisualC++2005RuntimeLibrariesarenotusedbyanyotherproductsotherthan eDirectory,uninstallthembyusingthefollowingprocedure:
1 NavigatetoAdd/RemoveProgramsorProgramsandFeaturesontheWindowsserverwhere
eDirectoryisinstalled.
2 Removethefollowingredistributionpackage:
32bit:Microsoft Visual C++ 2005 Redistributable 64bit:Microsoft Visual C++ 2005 RedistributableandMicrosoft Visual C++ 2005 Redistributable (x64)
11.2
Uninstalling eDirectory on Linux, Solaris, or AIX

Usethends-uninstallutilitytouninstalleDirectorycomponentsfromLinux,Solaris,orAIX systems.ThisutilityuninstallseDirectoryfromthelocalhost.YoumustdeconfigureeDirectory serverbeforerunningnds-uninstall.Runndsconfig rm -a <admin FDN>toremovethe eDirectoryserver.Thisutilityisavailableat/opt/novell/eDirectory/sbin/nds-uninstall. However,ndsconfig rmisnotsupportedonOES2SP2orlaterversions.
129
IMPORTANT:RemovingeDirectoryalsoremovestherollforwardlogdirectoryandallthelogsinit. IfyouwanttobeabletousethelogsforrestoringeDirectoryonthisserverinthefuture,before removingeDirectoryyoumustfirstcopytherollforwardlogstoanotherlocation.Forinformation aboutrollforwardlogs,seeUsingRollForwardLogsintheNovelleDirectory8.8SP7Administration Guide.

1 Executethends-uninstallcommand. 2 Usethefollowingsyntax: nds-uninstall [-s][-h]
Ifyoudonotprovidetherequiredparametersinthecommandline,thendsinstallutilitywill promptfortheparameters.
Paramet er
Description Displays the help strings. Removes the eDirectory packages and binaries even when instances are configured. However, this option does not remove the DIB directory and the NDS configuration file. IMPORTANT: Ensure that using this option is not affecting other services for a long period.
-h -s
ndsuninstalldoesnotuninstallthefollowingpackages:
Package Reasons for Not Removing
NICI package
NICI could be used by any of the following:
Any other product eDirectory installed in a custom location eDirectory installed by a nonroot user
NOVLsubag NOVLsubag could be used by any of the following:
eDirectory installed in a custom location eDirectory installed by a nonroot user
11.3
Unattended Uninstallation of eDirectory on UNIX

1 RemovetheinstancesofeDirectory: ndsconfig rm -a <user name> -w passwd -c 2 UseeitherofthefollowingintheautomatedscriptforthedeconfigurationofeDirectory:
Passingthepasswordthroughenvironmentvariable:ndsconfig rm -a <user name> -w

env:<environment variable> -c
Passingthepasswordthroughfile:ndsconfig rm -a <user name> -w file:<filename

with absolute/relative path> -c 3 (Optional)Incaseofmultipleinstances,runthefollowingcommandforindividualinstances:
130
ndsconfig rm -a <user name> -w passwd configuration file>
--config-file <absolute path for
Forexample:
ndsconfig rm -a admin.novell -w n -c ndsconfig rm -a admin.novell -w env:ADM_PASWD -c ndsconfig rm -a admin.novell -w file:/Builds/88SP7/adm_paswd -c 4 TouninstalltheeDirectorypackages,runthendsuninstallscripttoremovetheeDirectory
packages:
nds-uninstall -u
11.4
Caveats for Uninstalling eDirectory

WhenyouuninstalleDirectoryandinstallitagain,theeDirectoryservercannotbeaccessibletothe otherserversinthenetwork.Allthedistributedoperationssuchassynchronizationandobituary processingdonottakeplaceonthepartitionswhosereplicasarepresentintheeDirectoryserver.If thisstatepersistsforawhile,itmightimpactalltheserversandtheprocessesrunningonthem. AvoiduninstallinganewerversionofeDirectoryandinstallanearlierversion,because: Doesnotreverttheschemarelatedupgrades. eDirectorymightnotbefunctionalifDIBisupgradedtothenewerversion. Removesalltheexistingconfigurationfiles,exceptforthends.conf. However,considerthefollowingwhenyouuninstallanewerversionofeDirectoryandinstallan earlierversion: UpgradetheDIBtothenewerversion.Else,eDirectorymightnotbefunctional. Backuptheexistingconfigurationfiles,exceptforthends.conf,andrestorewheneDirectoryis installedagain. Doesnotreverttheschemarelatedupgrades.
131
132
12
12.1
12
Auditing eDirectory Events
YoucanauditeDirectoryeventsinoneofthefollowingways: Section 12.1,AuditingwithNovellAudit,onpage 133 Section 12.2,AuditingwithXDASv2,onpage 145
Auditing with Novell Audit

UsingtheNovellAuditpackage,youcansendeventsgeneratedbyeDirectorytoanoutsideauditing clientformonitoringpurposes. EarliereDirectoryinstrumentationwasapartofNovellAudit.However,fromeDirectory8.8SP3 versiononwards,eDirectoryinstrumentationisbundledwitheDirectory.Youneedtoinstallthis packageforauditingeDirectoryeventswithNovellAudit. Usethefollowinginformationtoinstall,configure,oruninstallNovellAuditonLinux,Solaris,and Windowsservers: Section 12.1.1,SupportedPlatforms,onpage 133 Section 12.1.2,Prerequisites,onpage 135 Section 12.1.3,InstallingNovellAuditPackages,onpage 135 Section 12.1.4,InstallingtheNovellAuditiManagerPlugin,onpage 137 Section 12.1.5,UnderstandingeDirectoryEventReporting,onpage 137 Section 12.1.6,UnderstandingeDirectoryEventTypes,onpage 138 Section 12.1.7,UnderstandingeDirectoryAuditingEventFiltering,onpage 139 Section 12.1.8,ConfiguringtheNovellAuditPlatformAgent,onpage 140 Section 12.1.9,ConfiguringNovellAuditforeDirectory,onpage 140 Section 12.1.10,LoadingtheAuditModule,onpage 142 Section 12.1.11,MonitoringeDirectoryEventswithSentinel,onpage 143 Section 12.1.12,UninstallingtheNovellAuditPackages,onpage 144
12.1.1
Supported Platforms
32BiteDirectoryonpage 134 64biteDirectoryonpage 134 NOTE:eDirectorydoesnotsupportauditingeventsonserversrunningAIX.
133
32-Bit eDirectory
Linuxonpage 134 Solarisonpage 134 Windowsonpage 134
Linux
32bit SUSELinuxEnterpriseServer(SLES)11 SLES10SP1,SP2andSP3 SLES10SP1,SP2andSP3XEN RedHatEnterpriseLinux(RHEL)5** RHEL5**AP RHEL5**APVirtualization RHEL6.0 64bit SLES1164bit SLES10SP1,SP2,SP364bit SLES10SP1,SP2andSP3XEN64bit RHEL5**64bit RHEL5**AP64bit RHEL5**APVirtualization64bit RHEL6.0
Solaris
Solaris*10onSunSPARC
Windows
32bitWindows*2003EnterpriseServerSP2 32bitWindows*2008Server(Standard/Enterprise/DataCenterEdition) **Latestservicepack
64-bit eDirectory
Linux
SLES1164bit SLES10SP1,SP2andSP364bit SLES10SP1,SP2andSP3XEN64bit RHEL5**64bit RHEL5**AP64bit
134
RHEL5**APVirtualization64bit RHEL6.0
Solaris
Solaris*10onSunSPARC
Windows
64bitWindows*2008Server(Standard/Enterprise/DataCenterEdition) Windows2008R2Server(Standard/Enterprise/DataCenterEdition) **Latestservicepack
12.1.2
Prerequisites
eDirectory8.8SP7auditingsupportsonlytheAuditPlatformAgent. InstallingandusingtheNovellAuditiManagerPluginrequiresiManager2.7.3orlater.For
moreinformation,refertotheNovelliManagerDocumentationPage(http://www.novell.com/ documentation/imanager27/index.html).
12.1.3
Installing Novell Audit Packages

Linuxonpage 135 Solarisonpage 136 Windowsonpage 137
Linux
IftheAuditPlatformAgentconfigurationfile(logevent.conf)alreadyexistsinthe/etc,backup thefilebeforeinstallingtheAuditpackages,becausethenewpackageoverwritestheexisting configuration. IftheAuditmoduleisalreadyloaded,unloadtheauditdsmodulebyusingthendstrace -c
"unload auditds"command.
ForOES2SP332bit,youmustdownloadtheeDirectorystandalonebuildforLinux32bitfromthe NovellDownloads(http://download.novell.com/)Website.ExtractthebuildandusethenovellAUDTedirinst-8.8.7-xx.i586.rpmfile. ForOES2SP364bit,youmustdownloadtheeDirectorystandalonebuildforLinux64bitfromthe NovellDownloads(http://download.novell.com/)Website.ExtractthebuildandusethenovellAUDTedirinst-8.8.7-xx.x86_64.rpmfile. Forthe32bitAuditpackage:

1 Installnovell-AUDTplatformagent-2.0.2-62.i586.rpmfromthesetupdirectoryofthe
extractedeDirectorybuildfortheLinuxplatform.
#rpm -Uvh /root/eDirectory/setup/novell-AUDTplatformagent-2.0.2-62.i586.rpm
135
2 Installnovell-AUDTedirinst-8.8.7-xx.i586.rpmfromthesetupdirectoryoftheextracted
eDirectorybuildfortheLinuxplatform.
#rpm -Uvh /root/eDirectory/setup/novell-AUDTedirinst-8.8.7-xx.i586.rpm
Forthe64bitAuditpackage:
1 Installnovell-AUDTplatformagent-2.0.2-62.x86_64.rpmfromthesetupdirectoryofthe
#rpm -Uvh /root/eDirectory/setup/novell-AUDTplatformagent-2.0.2-62.x86_64.rpm 2 Installthenovell-AUDTedirinst-8.8.6-xx.x86_64.rpmfromthesetupdirectoryofthe
#rpm -Uvh <eDirectory build extracted folder>/eDirectory/setup/novellAUDTedirinst-8.8.6-xx.x86_64.rpm
Runndstrace -c "load auditdstoloadtheauditdsmodule.Thisstepiscommonforloading theAuditmoduleonboth32and64biteDirectory.
Solaris
IftheAuditPlatformAgentconfigurationfile(logevent.conf)alreadyexistsinthe/etc,thenback upthefilebeforeinstallingtheAuditpackages,asthenewpackageoverwritestheexisting configuration. IftheAuditPlatformAgentisalreadyloaded,unloadauditdsmodulebyusingndstrace -c
"unload auditds"command.
For32bitAuditpackage InstallNOVLaudpa.pkgfromthesetupdirectoryoftheextractedeDirectorybuildfortheSolaris platform. Forexample,

#pkgadd -a <eDirectory build extracted folder>/eDirectory/setup/admin.audit -d <path to the downloaded Audit Platform Agent location>/NOVLaudpa.pkg all #pkgadd -a <eDirectory build extracted folder>/eDirectory/setup/admin.audit -d <eDirectory build extracted folder>/eDirectory/setup/NOVLaudin.pkg
For64bitAuditpackage InstallNOVLaudpax.pkgfromthesetupdirectoryoftheextractedeDirectorybuildfortheSolaris platform. Forexample:

#pkgadd -a <eDirectory build extracted folder>/eDirectory/setup/admin.audit -d <path to the downloaded Audit Platform Agent location>/NOVLaudpax.pkg all #pkgadd -a <eDirectory build extracted folder>/eDirectory/setup/admin.audit -d <eDirectory build extracted folder>/eDirectory/setup/NOVLaudinx.pkg
136
Windows
IftheAuditPlatformAgentconfigurationfile(logevent.cfg)alreadyexistsintheC:\WINDOWS,back upthefilebeforeinstallinginstrumentation,becausethenewpackageoverwritestheexisting configuration. For32bitinstallationofAuditpackagesandAuditPlatformAgent:
1 Runthepa_win32.exefilefor32bitAuditPlatformAgentfromtheinstallerfolder. 2 UnziptheeDirectoryInstrumentation-win-8.8.7.zipfilefor32bitInstrumentationfrom the<installerFolder>/nt/auditds/.UnzippingthisfilecreatesaNovelldirectory. 3 CopytheNovell\NDS\nauditds.dlmtotheC:\Novell\NDSdirectoryortoanyotherdirectory
whereeDirectoryisinstalled.
4 CopytheNovell\NDS\ediraudit.schfiletotheC:\Novell\NDSdirectoryortoanyother
directorywhereeDirectoryisinstalledontheWindowsserver. For64bitinstallationofAuditpackagesandAuditPlatformAgent:
1 Runthepa_win64.exefilefor64bitAuditPlatformAgent. 2 UnziptheeDirectoryInstrumentation-win-8.8.7.zipfilefor64bitAuditpackagefromthe <installerFolder>/nt/auditds/.UnzippingthisfilecreatesaNovelldirectory. 3 CopytheNovell\NDS\nauditds.dlmtotheC:\Novell\NDSdirectoryortoanyotherdirectory
whereeDirectoryisinstalled.
4 Copythe Novell\NDS\ediraudit.schfiletotheC:\Novell\NDSdirectoryortoanyother
directorywhereeDirectoryisinstalledontheWindowsserver.
12.1.4
Installing the Novell Audit iManager Plug-in

ToconfigureauditingofeDirectoryeventsusingtheNovellAuditPlatformAgent,youmustfirst installtheNovellAuditpluginforiManager. InstallingandusingtheNovellAuditiManagerpluginrequiresiManager2.7.4orlater.Seethe iManagerInstallationGuide(https://www.netiq.com/documentation/imanager27/ imanager_install_275/data/hk42s9ot.html)foriManagerinstallationrequirementsanddownload instructions. TheNovellAuditiManagerpluginisbundledwitheDirectory8.8SP6plugins.eDirectory8.8SP6 pluginscanbedownloadedfromtheNovelldownloadsite(http://download.novell.com/ SummaryFree.jsp?buildid=EKamexBB_F4~). TheinstallationinstructionsareavailableontheeDirectory8.8PluginsforiManager2.7download page(http://www.novell.com/documentation/edir88/esd/ii_edir886_iman_27_plugins.html).
12.1.5
Understanding eDirectory Event Reporting

eDirectoryusestwodifferenteventreportingsystemstologevents,journalandinline.Bydefault, eDirectorylogseventsusingjournaleventreporting,butyoucanenableinlineeventreportingin iManager.Formoreinformationaboutenablinginlineeventreporting,seeSection 12.1.9, ConfiguringNovellAuditforeDirectory,onpage 140. Journal:Thisreportingsystemprovidessynchronousposteventreporting.Withjournalevent reportingenabled,whenaneventisgenerated,eDirectoryaddstheeventtothejournalevent processingqueue.eDirectorythenusesaseparatethreadtoprocesseventsinthequeueandsends thoseeventstotheauditingclient.
137
Inline:Thisreportingsystemprovidessynchronouspreeventreporting.Withinlineeventreporting enabled,whenaneventisgenerated,eDirectoryusesthesamethreadtosendtheeventdirectlytothe client.NotethatenablinginlineeventreportingcanaffecteDirectoryperformance.
12.1.6
Understanding eDirectory Event Types

YoucanconfigureeDirectorytologeventsinthefollowingcategories: Meta Objects Attributes Schema Connections Agent Miscellaneous Bindery Replica Partition LDAP Werecommendauditingthefollowingdefaultsetofeventtypes:
Category Meta Objects Event Type All event types
Add Property Allow Login Change Password Change Security Equals Create Delete Delete Property Login Logout Modify RDN Move (Destination) Move (Source) Remove Rename Restore Search Verify Password
Attributes
All event types
138
Category Agent
Event Type
DS Reloaded Local Agent Closed Local Agent Opened NLM Loaded
Miscellaneous
Generated CA Keys Recertified Public Key
LDAP
LDAP Bind LDAP Modify LDAP Password Modify LDAP Add Response LDAP Unbind LDAP Delete LDAP Modify DN LDAP Modify Response LDAP Search LDAP Bind Response LDAP Delete Response LDAP Add LDAP Search Response LDAP Modify DN Response
12.1.7
Understanding eDirectory Auditing Event Filtering

Youcanalsofiltereventsforoneormorespecificobjectclassesorattributes,dependingontheevent type.eDirectoryevaluatesallgeneratedeventsagainsttheconfiguredfiltersontheeDirectoryserver andsendsonlyeventsmatchingthosefiltersthroughtotheauditingclient. MultiplefiltersfiltereDirectoryeventsseparately.Forexample,ifyouconfigurefilteringonbotha specificobjectclassandoneormoreattributes,eDirectorysendseventsmatchinganyofthosefilters totheclient.YoucannotconfigurefilteringsothateDirectorysendsonlyeventsofacertainobject classandcertainattributestotheclient.Youcanselectmultipleobjectclassesorattributesforwhich youwanttofiltereDirectoryevents. NOTE:Youcanonlyfilteracombinedmaximumof256objectclassesandattributes. Clickoneofthefollowinghyperlinkedeventtypestoselectoneormoreobjectclassesorattributesto filterforthateventtype:
Category Objects Event Type Filtering Type Object Class
Create Delete
139
Category Attributes
Event Type
Filtering Type Object Class or Attribute
Add Value Delete Value
LDAP
LDAP Modify LDAP Delete LDAP Modify DN LDAP Add
Object Class
Forexample,ifyouwanttobenotifiedwhensomeonecreatesauseraccountineDirectory,youcan createafilterusingiManagertolookforonlyCreateObjecteventsthatcreateaUserobject. IniManager,navigatetoRolesandTasks>eDirectoryAuditing>AuditConfiguration,selecttheNCP Serveryouwanttomonitor,andthenclicktheNovellAudittab.IntheObjectslist,clicktheCreate hyperlink.IntheAvailableObjectClasseslist,selectUser,thenclicktherightarrowtomoveUsertothe SelectedObjectClasseslist,andthenclickOK. Withthefilterconfigured,eDirectorychecksallgeneratedeventsforusercreationeventsandsends thoseeventstotheclient.Ifyoudonotselectothereventtypesorconfigurefilteringforotherobject classesorattributes,eDirectoryonlyauditsusercreationevents. NotethatObjectandLDAPcategoryfiltersonlyallowyoutofilteronobjectclasses,whileAttribute categoryfiltersallowyoutofilteronbothobjectclassesandattributes. Ifyouselectoneoftheeventtypesabovebutdonotspecifyanobjectclassorattributeonwhichto filter,eDirectorysendsalleventsofthateventtypetotheclient.
12.1.8
Configuring the Novell Audit Platform Agent

IftheAuditPlatformAgentisnotalreadyconfigured,editthePlatformAgentconfigurationfileto settheAuditServershostaddressintheLogHost.Theconfigurationfileislocatedbydefaultatthe followingdirectory: Linux:/etc/logevent.conf Windows:Windows_directory\logevent.cfg Forexample,modifytheLogHostattributeasfollows:
LogHost=192.168.1.8
Formoreinformation,refertotheConfiguringtheAuditPlatformAgent(http://www.novell.com/ documentation/novellaudit20/novellaudit20/data/al36zjk.html)sectionintheNovellAudit2.0 AdministrationGuide.
12.1.9
Configuring Novell Audit for eDirectory

FollowtheprocedurebelowtouseiManagertoconfigureauditingofeDirectoryeventswiththe NovellAuditPlatformAgent. NOTE:ForinformationaboutconfiguringXDASv2auditing,seetheNovellXDASv2Administration Guide.
140
UsingiManager,selecttheeDirectoryeventtypesthatyouwanttoaudit:
1 LogintotheiManagerconsoleusingthefollowingURL: https://ip_address_or_DNS/nps/
whereip_address_or_DNSistheIPaddressorDNSnameofyouriManagerserver.For example:
https://192.168.0.5/nps/ 2 UnderRolesandTasks,selecteDirectoryAuditing>AuditConfiguration. 3 BrowsetoandselecttheNCPServerobjectthatcorrespondstotheeDirectoryServerfrom
whichyouwanttocollectevents.ClickOK.
4 ClicktheNovellAudittabtodisplaytheeDirectoryInstrumentationSettingspage. 5 IfyoudonotwanteDirectorytosendreplicatedeventstoanotherreplicainthereplicaring,
selectDoNotSendReplicatedEvents.Youcanusethisoptiontofilteroutunnecessaryeventnoise andreducelogsize.
6 Ifyouwanttoenableinlinepreeventreporting,selectRegisterForEventsInline.Notethat
selectingthisoptioncansloweDirectoryperformance.
7 Selecttheeventtypesthatyouwanttoaudit. 8 Ifyouwanttofiltereventsforoneormorespecificobjectclasses,completethefollowingsteps: 8a Clickoneofthefollowinghyperlinkedobjects:
Objects>Create Objects>Delete Attributes>AddValue Attributes>DeleteValue LDAP>LDAPAdd LDAP>LDAPModify LDAP>LDAPDelete LDAP>LDAPModifyDN

8b IntheAvailableObjectClasseslist,selecttheobjectclassesforyouwanttoauditeventsand
clicktherightarrow.
8c ClickOK,thenclickOKagain. 9 Ifyouwanttofiltereventsforoneormorespecificattributes,completethefollowingsteps: 9a Clickoneofthefollowinghyperlinkedobjects:
Attributes>AddValue Attributes>DeleteValue
9b IntheAvailableAttributeslist,selecttheattributesforyouwanttoauditeventsandclickthe
rightarrow.
9c ClickOK,thenclickOKagain.
NOTE:eDirectoryevaluateseventsindividuallyagainstallfilters,soifaneventmatches onefilterbutnotanother,eDirectorystillsendstheeventtotheclient.Formoreinformation aboutfilteringevents,seeSection 12.1.7,UnderstandingeDirectoryAuditingEvent Filtering,onpage 139.

10 ClickApply,thenclickOK.
141
Changestoyourauditingconfigurationtakeeffectwithinthreeminutes.Ifyouwanttoimmediately applychanges,youcanalsounloadandthenreloadtheAuditmodule.Formoreinformationabout loadingtheauditmodule,seeSection 12.1.10,LoadingtheAuditModule,onpage 142.
12.1.10
Loading the Audit Module

UsethefollowingprocedurestoloadorunloadtheAuditmodule. Linuxonpage 142 Windowsonpage 142
Linux
1 RunthefollowingcommandtoloadtheAuditmoduleifitisnotalreadyloaded: ndstrace -c "load auditds" 2 RunthefollowingcommandtounloadtheAuditmodule: ndstrace -c "unload auditds"
NOTE:Step 1andStep 2arecommonfor32and64biteDirectory.

3 ToautomaticallyloadAuditmoduleswheneDirectoryisstarted,editthe/etc/opt/novell/ eDirectory/conf/ndsmodules.conf fileandaddthefollowingline: auditds auto #eDirectory instrumentation
Windows
1 ToloadtheAuditmodule,clickStart>ControlPanel>NovelleDirectoryServices.Selectnauditds
fromtheServicestab,thenclickStart.
2 TounloadtheAuditmodule,clickStart>ControlPanel>NovelleDirectoryServices.Selectnauditds
fromtheServicestab,thenclickStop. NOTE:Step 1andStep 2arecommonfor32and64biteDirectory.

3 ToautomaticallyloadtheAuditmodulewheneDirectoryisstarted,completethefollowing
steps:
3a ClickStart>ControlPanel>NovelleDirectoryServices. 3b SelectnauditdsfromtheServicestab,thenclickStartup. 3c SelectAutomatic,thenclickOK. 4 TodisableautomaticloadingofAuditmodulewheneDirectoryisstarted,completethe
followingsteps:
4a ClickStart>ControlPanel>NovelleDirectoryServices. 4b SelectnauditdsfromtheServicestab,clickStartup. 4c DeselecttheAutomaticcheckbox,thenclickOK.
142
12.1.11
Monitoring eDirectory Events with Sentinel

NovellSentinelprovidesaCollectorforcollectingandauditingeDirectoryevents.Inorderto monitorsometypesofeDirectoryeventsinSentinel,youmustensurethatcertaineDirectory auditingsettingsareconfiguredproperly. Fordetailedinformationonconfiguringauditingsettings,seeSection 12.1.9,ConfiguringNovell AuditforeDirectory,onpage 140. ForinformationonconfiguringSentineltocollecteDirectoryevents,seetheSentinelCollectorGuide forNovelleDirectory,locatedontheSentinelPluginssite(http://support.novell.com/products/ sentinel/secure/sentinelplugins.html).
Auditing Create Object Events

Whencreatinganobjectthatwillbeusedasanaccount,eDirectoryfirstcreatesagenericobject,then modifiestheobjectclasstoausertypewithanAddValueevent.IfyouwantSentineltoproperly collecttheevent,youmustenableauditingofAddValueeventsiniManager.Ifyoudonotenable AddValueeventauditing,theSentinelCollectorcannotparseCreateObjecteventsandwillgenerate aConfigurationErroreventinSentinel. ToenableauditingofCreateObjectevents,launchiManagerandnavigatetotheeDirectoryAuditing> AuditConfiguration>NovellAuditwindow.SelectbothObjects>CreateandAttributes>AddValue.
Auditing LDAP Events

eDirectoryconsiderseachLDAPrequesttobeatransaction,andgenerateseventswhenarequestis initiatedandwhenaresponseisreceivedandthetransactioniscompleted. InSentinel,however,eachrequestresponsepairistreatedasoneevent.Inordertoauditatypeof LDAPeventineDirectoryusingSentinel,youmustenableauditingforboththerequesteventand theresponseevent.Forexample,toauditanLDAPbindrequest,youmustconfigureauditingfor bothLDAPBindandLDAPBindResponseeventsiniManager.
Auditing Failed Login Events

IfyouwanttomonitorfailedlogineventsineDirectory,youmustuseiManagertoenableauditingon AddValueeventsontheeDirectoryserver.YoumustalsoenableIntruderDetectiononthe eDirectorycontainerorcontainerswhereyouwanttoauditfailedloginevents. IMPORTANT:YoumustenableIntruderDetectionandAddValueeventauditingoneachserver withareplicaofthecontaineryouwanttomonitor. UsethefollowingproceduretoenableIntruderDetectiononacontainer:
1 LogintotheiManagerconsoleusingthefollowingURL: https://ip_address_or_DNS/nps/
whereip_address_or_DNSistheIPaddressorDNSnameofyouriManagerserver.For example:
https://192.168.0.5/nps/ 2 UnderRolesandTasks,selectDirectoryAdministration>ModifyObject. 3 BrowsetoandselecttheeDirectorycontaineryouwanttoaudit.ClickOK.
143
4 OntheGeneraltab,clickIntruderDetection. 5 SelectDetectintruders. 6 ClickOK.
NOTE:YoudonotneedtoconfigureanyotherIntruderDetectionrelatedsettingsorenabletheLock accountafterdetectionsetting.
12.1.12
Uninstalling the Novell Audit Packages

ThefollowingsectionsexplainhowtouninstalltheNovellAuditpackages: UninstallingAuditPackagesonLinuxonpage 144 UninstallingAuditPackagesonSolarisonpage 144 UninstallingAuditPackagesonWindowsonpage 145
Uninstalling Audit Packages on Linux

TouninstallAuditpackagesonLinux:
1 UnloadtheAuditmodulebyusingthecommandndstrace -c unload auditds. 2 Uninstallthenovell-AUDTedirinst-8.8.6-xxRPM.
NOTE:Therpmnameissameforboth32and64bitAuditpackages.
#rpm -e --nodeps novell-AUDTedirinst-8.8.6-xx 3 DisableautomaticloadingofAuditmoduleswheneDirectoryisstartedbyeditingthe/etc/ opt/novell/eDirectory/conf/ndsmodules.conf fileandremovingthelinecorrespondingto
auditds(ifitexists).Thelinecorrespondingtoauditdsisasfollows:
auditds auto #eDirectory Instrumentation
NOTE:Ifnootherauditingisinstalled,thenuninstallthenovell-AUDTplatformagent-2.0.2-62 AuditPlatformAgentbyusing#rpm -e novell-AUDTplatformagent-2.0.2-62command.The RPMnameissameforboth32and64bitauditingpackages.
Uninstalling Audit Packages on Solaris

TouninstallAuditpackagesonSolaris:
1 UnloadtheAuditmodulebyusingthendstrace -c "unload auditds"command. 2 UninstalltheNOVLaudinpackagefor32bitAuditandNOVLaudinxpackagefor64bitAudit.
Forexamplethepackagecanbeuninstalledusingthefollowingcommands:
#pkgrm NOVLaudin #pkgrm NOVLaudinx 3 DisableautomaticloadingofNovellAuditwheneDirectoryisstartedbyeditingthe/etc/opt/ novell/eDirectory/conf/ndsmodules.conffileandremovingthelinecorrespondingto auditds(ifitexists).Thelinecorrespondingtoauditdsisasfollows: auditds auto #eDirectory Instrumentation
144
NOTE:IfnootherinstrumentationisinstalledthenuninstalltheNOVLaudpaAuditPlatformAgent packagefor32bitAuditpackageandNOVLaudpaxAuditPlatformAgentpackagefor64bitAudit package.Forexample,thepackagecanberemovedusingthe#pkgrm NOVLaudpacommandandthe #pkgrm NOVLaudpacommand.
Uninstalling Audit Packages on Windows

OnWindows,theproceduretouninstall32bitAuditpackagesand64bitAuditpackagesissame. TouninstallAuditpackagesonWindows:
1 UnloadtheAuditmoduleasfollows: 1a NavigatetoStart>ControlPanel>NovelleDirectoryServices. 1b SelectServices. 1c Clicknauditds.dlm,thenclickStop. 2 Deletenauditds.dlmfromtheC:\Novell\NDSdirectory. 3 Deletetheediraudit.schfilefromtheC:\Novell\NDSdirectory. 4 CompletethefollowingstepstodisableautomaticloadingofAuditpackageswheneDirectoryis
started:
4a NavigatetoStart>ControlPanel>NovelleDirectoryServices. 4b SelectServices. 4c Clicknauditds.dlm,thenclickStartup. 4d Disablethe Automaticoptionbyclearingthecheckbox. 4e ClickOK.
NOTE:Ifnootherinstrumentationisinstalled,uninstalltheAuditPlatformAgentbydeletingthe logevent.dllfilefromC:\Novell\NDS.
12.2
Auditing with XDASv2

TheXDASv2specificationprovidesastandardizedclassificationforauditevents.Itdefinesasetof genericeventsataglobaldistributedsystemlevel.XDASv2providesacommonportableaudit recordformattofacilitatethemergingandanalysisofauditinformationfrommultiplecomponents atthedistributedsystemlevel.TheXDASv2eventsareencapsulatedwithinahierarchicalnotational systemthathelpstoextendthestandardorexistingeventidentifierset. Bydefault,theXDASv2packagesareinstalledwheneDirectoryisinstalled.Formoreinformationon auditingwithXDASv2,refertotheNovellXDASv2AdministrationGuide. NOTE:eDirectorydoesnotsupportauditingeventsonserversrunningAIX.
145
146
Linux, Solaris, and AIX Packages for Novell eDirectory
NovelleDirectoryincludesaLinux,Solaris,andAIXpackagesystem,whichisacollectionoftools thatsimplifytheinstallationanduninstallationofvariouseDirectorycomponents.Packagescontain makefilesthatdescribetherequirementstobuildacertaincomponentofeDirectory.Packagesalso includeconfigurationfiles,utilities,libraries,daemons,andmanpagesthatusethestandardLinux, Solaris,orAIXtoolsinstalledwiththeOS. ThefollowingtableprovidesinformationabouttheLinux,Solaris,andAIXpackagesthatare includedwithNovelleDirectory. NOTE:OnLinux,allthepackagesareprefixedwithnovell-.Forexample,NDSservisnovellNDSserv.
Package
Description Contains the Novell Import Convert Export utility and is dependent on the NOVLlmgnt, NOVLxis, and NLDAPbase packages. Represents the Directory User Agent. This package is dependent on the NICI package. The NDSbase package contains the following:
NOVLice NDSbase
Authentication toolbox containing the RSA authentication needed for eDirectory Platform-independent system abstraction library, a library containing all the
defined Directory User Agent functions, and the schema extension library
Combined configuration utility and the Directory User Agent test utility eDirectory configuration file and manual pages
NDScommon NDSmasv
Contains the man pages for the eDirectory configuration file, install, and uninstall utilities. This package is dependent on the NDSbase package. Contains the libraries required for mandatory access control (MASV).
147
Package
Description Contains all the binaries and libraries needed by the eDirectory Server. It also contains the utilities to manage the eDirectory Server on the system. This package is dependent on the NDSbase, NDScommon, NDSmasv, NLDAPsdk, NOVLpkia and NOVLpkit packages. The NDSserv package contains the following:
NDSserv
NDS install library, FLAIM library, trace library, NDS library, LDAP server library,
LDAP install library, index editor library, DNS library, merge library, and LDAP extension library for LDAP SDK
eDirectory Server daemon Binary for DNS and a binary to load or unload LDAP The utility needed to create the MAC address, the utility to trace the server and
change some of the global variables of the server, the utility to back up and restore eDirectory, and the utility to merge eDirectory trees
Startup scripts for DNS, NDSD, and NLDAP Man pages

NDSimon NDSrepair NLDAPbase
Contains the runtime libraries and utilities used to search and retrieve data from eDirectory services. This package is dependent on the NDSbase package. Contains the runtime libraries and the utility that corrects problems in the eDirectory database. This package is dependent on the NDSbase package. Contains LDAP libraries, extensions to LDAP libraries, and the following LDAP tools:
ldapdelete ldapmodify ldapmodrdn ldapsearch

This package is dependent on the NLDAPsdk package.
NOVLnmas NLDAPsdk NOVLsubag NOVLpkit NOVLpkis NOVLsnmp NDSdexvnt NOVLpkia NOVLembox
Contains all the NMAS libraries and the nmasinst binaries needed for NMAS server. This package is dependent on the NICI and NDSmasv packages. Contains Novell extensions to LDAP runtime and Security libraries (Client NICI). Contains the runtime libraries and utilities for the eDirectory SNMP subagent. This package is dependent on the NICI, NDSbase, and NLDAPbase packages. Provides PKI Services which do not require eDirectory. This package is dependent on the NICI and NLDAPsdk packages. Provides PKI Server Service. This package is dependent on the NICI, NDSbase, and NLDAPsdk packages. The runtime libraries and utilities for SNMP. This package is dependent on the NICI package. Contains the library that manages events generated in Novell eDirectory to other databases. Provides PKI services. This package is dependent on the NICI, NDSbase, and NLDAPsdk packages. Provides the eMBox infrastructure and eMTools.
148
Package
Description Contains runtime libraries for Novell Language Management. Contains the runtime libraries for Novell XIS. Contains the Novell SAS libraries. Contains Novell TLS library. This package is identified as:
NOVLlmgnt NOVLxis NOVLsas NOVLntls
NOVLntls on Solaris, and AIX ntls on Linux

NOVLldif2 NOVLncp
Contains the Novell Offline Bulkload utility and is dependent on the NDSbase, NDSserv, NOVLntls, NOVLlmgnt, and NICI packages. Contains the Novell Encrypted NCP Services for UNIX. This package is dependent on the NDScommon package.
149
150
eDirectory Health Checks
NovelleDirectory8.8providesadiagnostictooltohelpyoudeterminewhetheryoureDirectory healthissafe.Theprimaryuseofthistoolistocheckifthehealthoftheserverissafebefore upgrading. eDirectoryhealthchecksarerunbydefaultwitheveryupgradeandtheyoccurbeforetheactual packageupgrade.However,youcanrunthediagnostictool,ndscheck,todothehealthchecksat anytime.
B.1
Need for Health Checks

InearlierreleasesofeDirectory,theupgradedidnotcheckthehealthoftheserverbeforeproceeding withtheupgrade.Iftheheathwasunstable,theupgradeoperationwouldfailandeDirectorywould beinaninconsistentstate.Insomecases,youprobablycouldnotrollbacktothepreupgrade settings. Thisnewhealthchecktoolresolvesthis,lettingyoutoensurethatyourserverisreadytoupgrade.
B.2
Performing Health Checks

YoucanperformeDirectoryhealthchecksintwoways: NOTE:Youneedadministrativerightstorunthehealthcheckutility. Section B.2.1,WiththeUpgrade,onpage 151 Section B.2.2,AsaStandaloneUtility,onpage 152
B.2.1
With the Upgrade

ThehealthchecksarerunbydefaulteverytimeyouupgradeeDirectory.
Linux and UNIX

Everytimeyouupgrade,thehealthchecksarerunbydefaultbeforetheactualupgradeoperation starts. Toskipthedefaulthealthchecks,youcanusethe-joptionwithnds-install.
Windows
TheeDirectoryhealthcheckshappenaspartoftheinstallationwizard.Youcanenableordisablethe healthcheckswhenpromptedtodoso.
151
B.2.2
As a Standalone Utility
YoucanruntheeDirectoryhealthchecksasastandaloneutilityanytimeyouwant.Thefollowing tableliststhehealthcheckutilitynamesforeachplatform.
Table B-1 HealthCheckUtilities
Platform Linux and UNIX
Utility Name
ndscheck
Syntax:
ndscheck [--help | -?] Display command usage ndscheck [--version | -v] Display version information ndscheck [-h <hostname port]>] [-a <admin FDN>] [-F <log file>] [-D] [-q] [--configfile <file name>]
Windows
ndscheck
Syntax:
ndscheck [--help | -?] Display command usage ndscheck [--version | -v] Display version information ndscheck [-h <hostname port]>] [-a <admin FDN>] [-F <log file>] [-D] [-q] [--configfile <file name>]
B.3
Types of Health Checks

Whenyourunthendscheck utilityorupgrade,thefollowingtypesofhealthchecksaredone: BasicServerHealth PartitionsandReplicaHealth Whenyourunthendscheckutility,theresultsaredisplayedonthescreenandloggedin ndscheck.log.Formoreinformationonlogfiles,refertoSection B.5,LogFiles,onpage 155. Ifthehealthchecksaredoneaspartoftheupgrade,youareeitherpromptedtocontinuetheupgrade processortheprocessisaborted,dependingonthetypesoferrorsfound(ifany).Errortypesare describedinSection B.4,CategorizationofHealth,onpage 153.
B.3.1
Basic Server Health

Thisisthefirststageofthehealthcheck,wherethehealthcheckutilitychecksforthefollowing: 1. TheeDirectoryserviceisup.TheDIBisopenandabletoreadsomebasictreeinformationsuch astreename. 2. Theserverislisteningontherespectiveportnumbers. ForLDAP,itgetstheTCPandtheSSLportnumbersandchecksiftheserverislisteningonthese ports. Similarly,itgetstheHTTPandHTTPsecureportnumbersandchecksiftheserverislisteningon theseports.
152
B.3.2
Partitions and Replica Health

Aftercheckingthebasicserverhealth,itthenchecksthepartitionsandreplicahealthasfollows: 1. Checksthehealthofthereplicasofthelocallyheldpartitions. 2. Readsthereplicaringofeverypartitionheldbytheserverandcheckswhetherallserversinthe replicaringareupandallthereplicasareintheONstate. 3. Checksthetimesynchronizationofalltheserversinthereplicaring,showinganytime differencebetweentheservers.
B.4
Categorization of Health
Therearethreepossiblecategoriesofhealth,basedontheerrorsfoundwhilecheckingthehealthof aneDirectoryserver: Normal(page 153) Warning(page 153) Critical(page 154) Thestatusofthehealthchecksisloggedintoalogfile.Formoreinformation,refertoSection B.5, LogFiles,onpage 155.
B.4.1
Normal
Allthehealthchecksweresuccessfulandtheserverhealthisnormal. Theupgradeproceedswithoutaninterruption.
B.4.2
Warning
Minorerrorswerefoundwhilecheckingtheserverhealth. Ifthehealthcheckisrunaspartoftheupgrade,youarepromptedtoeitherabortorcontinue.For moreinformation,seeFigureB1onpage 154. Warningsnormallyoccurinthefollowingscenarios: ServernotlisteningonLDAPandHTTPports(normal,secure,orboth). Unabletocontactanyofthenonmasterserversinthereplicaring. Serversinthereplicaringarenotinsync.
153
Figure B-1 HealthCheckwithaWarning
B.4.3
Critical
CriticalerrorswerefoundwhilecheckingtheeDirectoryhealth. IfthehealthcheckisrunaspartoftheeDirectoryupgrade,theupgradeoperationisaborted.For moreinformation,seeFigureB2onpage 155. Thecriticalstatenormallyoccursinthefollowingscenarios: UnabletoreadoropentheDIB(mightbelockedorcorrupt). Unabletocontactalltheserversinthereplicaring. Locallyheldpartitionsarebusy. ReplicaisnotintheONstate.
154
Figure B-2 HealthCheckwithaCriticalError
B.5
Log Files
EveryeDirectoryhealthcheckoperation,whetheritisrunwiththeupgradeorasastandaloneutility, maintainsthestatusofthehealthinalogfile. Thecontentofthelogfileissimilartothemessagesdisplayedonthescreenwhenthechecksare happening.Forexample,seeFigureB1onpage 154andFigureB2onpage 155. Thehealthchecklogfilecontainsthefollowing: Statusofthehealthchecks(normal,warning,orcritical). URLswherepossiblesolutionscanbefound. Supportforums(http://forums.novell.com/netiq/netiqproductdiscussionforums/ edirectory/)
155
TroubleshootingDocumentation(http://www.novell.com/documentation/edir88/ edir88tshoot/data/front.html) ErrorCodes(http://www.novell.com/documentation/nwec/) Patches(http://support.novell.com/patches.html) CoolSolutions(http://www.novell.com/communities/coolsolutions/edirectory) Thefollowingtablegivesthedefaultlogfilelocationonvariousplatforms:

Table B-2 HealthCheckLogFileLocation
Platform Linux and UNIX
Log Filename
Location 1. If you use the -h option, the ndscheck.log file is saved in the users home directory. 2. If you use the --config-file option, the ndscheck.log file is saved in the server instances log directory. You can also select an instance from the multiple instances list.
ndscheck.log
Windows
nsdcheck.log
The log file will be saved at install_directory\novell
nds\.
NOTE: install_directory is user specified.
156
Configuring OpenSLP for eDirectory
Thisappendixprovidesinformationfornetworkadministratorsontheproperconfigurationof OpenSLPforNovelleDirectoryinstallationswithouttheNovellClient. Section C.1,ServiceLocationProtocol,onpage 157 Section C.2,SLPFundamentals,onpage 157 Section C.3,ConfigurationParameters,onpage 159
C.1
Service Location Protocol

OpenSLPisanopensourceimplementationoftheIETFServiceLocationProtocolVersion2.0 standard,whichisdocumentedinIETFRequestForComments(RFC)2608(http://www.ietf.org/rfc/ rfc2608.txt?number=2608). InadditiontoimplementingtheSLPv2protocol,theinterfaceprovidedbyOpenSLPsourcecodeis animplementationofanotherIETFstandardforprogrammaticallyaccessingSLPfunctionality, documentedinRFC2614(http://www.ietf.org/rfc/rfc2614.txt?number=2614). TofullyunderstandtheworkingsofSLP,itisworthreadingthesedocumentsandinternalizingthem. Theyarenotnecessarilylightreading,buttheyareessentialtotheproperconfigurationofSLPonan intranet. FormoreinformationontheOpenSLPproject,seetheOpenSLP(http://www.OpenSLP.org)Website andtheSourceForge(http://sourceforge.net/projects/openslp)Website.TheOpenSLPWebsite providesseveraldocumentsthatcontainvaluableconfigurationtips.Manyoftheseareincompleteat thetimeofthiswriting.
C.2
SLP Fundamentals
ServiceLocationProtocolspecifiesthreecomponents: Theuseragent(UA) Theserviceagent(SA) Thedirectoryagent(DA) Theuseragentsjobistoprovideaprogrammaticinterfaceforclientstoqueryforservices,andfor servicestoadvertisethemselves.Auseragentcontactsadirectoryagenttoqueryforregistered servicesofaspecifiedserviceclassandwithinaspecifiedscope. Theserviceagentsjobistoprovidepersistentstorageandmaintenancepointsforlocalservicesthat haveregisteredthemselveswithSLP.Theserviceagentessentiallymaintainsaninmemorydatabase ofregisteredlocalservices.Infact,aservicecannotregisterwithSLPunlessalocalSAispresent.
157
ClientscandiscoverserviceswithonlyaUAlibrary,butregistrationrequiresanSA,primarily becauseanSAmustreasserttheexistenceofregisteredservicesperiodicallyinordertomaintainthe registrationwithlisteningdirectoryagents. Thedirectoryagentsjobistoprovidealongtermpersistentcacheforadvertisedservices,andto provideapointofaccessforuseragentstolookupservices.Asacache,theDAlistensforSAsto advertisenewservices,andcachesthosenotifications.Overashorttime,aDAscachewillbecome morecomplete.Directoryagentsuseanexpirationalgorithmtoexpirecacheentries.Whena directoryagentcomesup,itreadsitscachefrompersistentstorage(generallyaharddrive),andthen beginstoexpireentriesaccordingtothealgorithm.WhenanewDAcomesup,orwhenacachehas beendeleted,theDAdetectsthisconditionandsendsoutaspecialnotificationtoalllisteningSAsto dumptheirlocaldatabasessotheDAcanquicklybuilditscache. Intheabsenceofanydirectoryagents,theUAwillresorttoageneralmulticastquerythatSAscan respondto,buildingalistoftherequestedservicesinmuchthesamemannerthatDAsusetobuild theircache.Thelistofservicesreturnedbysuchaqueryisanincompleteandmuchmorelocalized listthanthatprovidedbyaDA,especiallyinthepresenceofmulticastfiltering,whichisdoneby manynetworkadministrators,limitingbroadcastsandmulticaststoonlythelocalsubnet. Insummary,everythinghingesonthedirectoryagentthatauseragentfindsforagivenscope.
C.2.1
Novell Service Location Providers

TheNovellversionofSLPtakescertainlibertieswiththeSLPstandardinordertoprovideamore robustserviceadvertisingenvironment,butitdoessoattheexpenseofsomescalability. Forexample,inordertoimprovescalabilityforaserviceadvertisingframework,youcanlimitthe numberofpacketsthatarebroadcastormulticastonasubnet.TheSLPspecificationmanagesthisby imposingrestrictionsonserviceagentsanduseragentsregardingdirectoryagentqueries.Thefirst directoryagentdiscoveredthatservicesthedesiredscopeistheonethataserviceagent(and consequently,localuseragents)willuseforallfuturerequestsonthatscope. TheNovellSLPimplementationactuallyscansallofthedirectoryagentsitknowsaboutlookingfor queryinformation.Itassumesa300millisecondroundtriptimeistoolong,soitcanscan10servers inabout3to5seconds.ThisdoesntneedtobedoneifSLPisconfiguredcorrectlyonthenetwork, andOpenSLPassumesthenetworkisinfactconfiguredcorrectlyforSLPtraffic.OpenSLPsresponse timeoutvaluesaregreaterthanthatofNovellsSLPserviceprovider,anditlimitsthenumberof directoryagentstothefirstonethatresponds,whetherornotthatagentsinformationisaccurateand complete.
C.2.2
User Agents
Auseragenttakesthephysicalformofastaticordynamiclibrarythatislinkedintoanapplication.It allowstheapplicationtoqueryforSLPservices. Useragentsfollowanalgorithmtoobtaintheaddressofadirectoryagenttowhichquerieswillbe sent.OncetheyobtainaDAaddressforaspecifiedscope,theycontinuetousethataddressforthat scopeuntilitnolongerresponds,atwhichtimetheyobtainanotherDAaddressforthatscope.User agentslocateadirectoryagentaddressforaspecifiedscopeby: 1. CheckingtoseeifthesockethandleonthecurrentrequestisconnectedtoaDAforthespecified scope.Iftherequesthappenstobeamultipartrequest,theremayalreadybeacached connectionpresentontherequest. 2. CheckingitslocalknownDAcacheforaDAmatchingthespecifiedscope.
158
3. CheckingwiththelocalSAforaDAwiththespecifiedscope(andaddingnewaddressestothe cache). 4. QueryingDHCPfornetworkconfiguredDAaddressesthatmatchthespecifiedscope(and addingnewaddressestothecache). 5. MulticastingaDAdiscoveryrequestonawellknownport(andaddingnewaddressestothe cache). Thespecifiedscopeisdefaultifnotspecified.Thatis,ifnoscopeisstaticallydefinedintheSLP configurationfile,andnoscopeisspecifiedinthequery,thenthescopeusedistheworddefault.It shouldalsobenotedthateDirectoryneverspecifiesascopeinitsregistrations.Thatsnottosaythe scopealwaysusedwitheDirectoryisdefault.Infact,ifthereisastaticallyconfiguredscope,that scopebecomesthedefaultscopeforalllocalUArequestsandSAregistrationsintheabsenceofa specifiedscope.
C.2.3
Service Agents
Serviceagentstakethephysicalformofaseparateprocessonthehostmachine.Inthecaseof Windows,slpd.exerunsasaserviceonthelocalmachine.Useragentsquerythelocalserviceagent bysendingmessagestotheloopbackaddressonawellknownport. AserviceagentlocatesandcachesdirectoryagentsandtheirsupportedscopelistbysendingaDA discoveryrequestdirectlytopotentialDAaddressesby: 1. CheckingallstaticallyconfiguredDAaddresses(andaddingnewonestotheSAsknownDA cache). 2. RequestingalistofDAsandscopesfromDHCP(andaddingnewonestotheSAsknownDA cache). 3. MulticastingaDAdiscoveryrequestonawellknownport(andaddingnewonestotheSAs knownDAcache). 4. ReceivingDAadvertisingpacketsthatareperiodicallybroadcastbyDAs(andaddingnewones totheSAsknownDAcache). Sinceauseragentalwaysqueriesthelocalserviceagentfirst,thisisimportant,asthelocalservice agentsresponsewilldeterminewhetherornottheuseragentcontinuestothenextstageof discovery(inthiscaseDHCPseesteps3and4inUserAgentsonpage 158.).
C.3
Configuration Parameters
Certainconfigurationparametersinthe%systemroot%/slp.conffilecontrolDAdiscoveryaswell:
net.slp.useScopes = <comma delimited scope list> net.slp.DAAddresses = <comma delimited address list> net.slp.passiveDADetection = <"true" or "false"> net.slp.activeDADetection = <"true" or "false"> net.slp.DAActiveDiscoveryInterval = <0, 1, or a number of seconds>
TheuseScopesoptionindicateswhichscopestheSAwilladvertiseinto,andwhichscopesqueries willbemadetointheabsenceofaspecificscopeontheregistrationorquerymadebytheserviceor clientapplication.BecauseeDirectoryalwaysadvertisesintoandqueriesfromthedefaultscope,this listwillbecomethedefaultscopelistforalleDirectoryregistrationsandqueries. TheDAAddressesoptionisacommadelimitedlistofdotteddecimalIPaddressesofDAsthatshould bepreferredtoallothers.IfthislistofconfiguredDAsdoesnotsupportthescopeofaregistrationor query,thenSAsandUAswillresorttomulticastDAdiscovery,unlesssuchdiscoveryisdisabled.
159
ThepassiveDADetectionoptionisTruebydefault.Directoryagentswillperiodicallybroadcast theirexistenceonthesubnetonawellknownportifconfiguredtodoso.Thesepacketsaretermed DAAdvertpackets.IfthisoptionissettoFalse,allbroadcastDAAdvertpacketsareignoredbythe SA. TheactiveDADetectionoptionisalsoTruebydefault.ThisallowstheSAtoperiodicallybroadcast arequestforallDAstorespondwithadirectedDAAdvertpacket.Adirectedpacketisnotbroadcast, butsentdirectlytotheSAinresponsetotheserequests.IfthisoptionissettoFalse,noperiodicDA discoveryrequestisbroadcastbytheSA. TheDAActiveDiscoveryIntervaloptionisatrystateparameter.Thedefaultvalueis1,whichisa specialvaluemeaningthattheSAshouldonlysendoutoneDAdiscoveryrequestupon initialization.Settingthisoptionto0hasthesameeffectassettingtheactiveDADetectionoptionto false.Anyothervalueisanumberofsecondsbetweendiscoverybroadcasts. Theseoptions,whenusedproperly,canensureanappropriateuseofnetworkbandwidthforservice advertising.Infact,thedefaultsettingsaredesignedtooptimizescalabilityonanaveragenetwork.
160

Novell

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Novell

Hochgeladen von

Copyright:

Verfügbare Formate

www.novell.

April 27, 2012

2 Installing or Upgrading Novell eDirectory on Solaris

3 Installing or Upgrading Novell eDirectory on AIX

3.2 3.3 3.4 3.5

4 Installing or Upgrading Novell eDirectory on Windows

5 Relocating the DIB

Linux and UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

6 Upgrade Requirements of eDirectory 8.8

7 Configuring Novell eDirectory on Linux, Solaris, or AIX Systems

Novell eDirectory 8.8 SP7 Installation Guide

8 Migrating to eDirectory 8.8 SP7

9 Migrating eDirectory from NetWare to OES 2 Linux

9.2 9.3 9.4

10 Deploying eDirectory on High Availability Clusters

11 Uninstalling Novell eDirectory

11.2 11.3 11.4

12 Auditing eDirectory Events

C Configuring OpenSLP for eDirectory

Novell eDirectory 8.8 SP7 Installation Guide

About This Book

About This Book

Novell eDirectory 8.8 SP7 Installation Guide

Installing or Upgrading Novell eDirectory on Linux

Installing or Upgrading Novell eDirectory on Linux

Novell eDirectory 8.8 SP7 Installation Guide

Theinterfacecouldbeavaluesuchaseth0,hme0,hme1,orhme2,dependingontheNICthatis installedandused. Formoreinformationonmulticastandbroadcastroutes,refertotheOpenSLPWebsite(http:// www.openslp.org/doc/html/UsersGuide/Installation.html).

Installing or Upgrading Novell eDirectory on Linux

IfthecompatRPMisnotpresentonyourmachine,installit.ThisRPMorthencursesRPM containslibncurses.so.4.xorlibncurses.so.5.x.eDirectory8.8supports libncurses.so.4.xandlibncurses.so.5.x.

Configuring Static IP Address

Novell eDirectory 8.8 SP7 Installation Guide

Requirementsforprocessorsmightbegreaterthanthetableindicates,dependinguponadditional servicesavailableonthecomputeraswellasthenumberofauthentications,reads,andwritesthat thecomputerishandling.Processessuchasencryptionandindexingcanbeprocessorintensive.

Forcing the Backlink Process to Run

Installing or Upgrading Novell eDirectory on Linux

Server Health Checks

Skipping Server Health Checks

Upgrading on Linux Servers Other Than OES

Novell eDirectory 8.8 SP7 Installation Guide

Unattended Upgrade of eDirectory on UNIX

Installing or Upgrading Novell eDirectory on Linux

Upgrading eDirectory on Existing OES

Upgrading eDirectory During OES 1.0 to OES 2.0 Upgrade

Upgrading the Tarball Deployment of eDirectory 8.8

Novell eDirectory 8.8 SP7 Installation Guide

$NDSHOME/eDirectory/etc/opt/novell/eDirectory/conf/ice.conf $NDSHOME/eDirectory/etc/opt/novell/eDirectory/conf/ndsimonhealth.conf $NDSHOME/eDirectory/etc/opt/novell/eDirectory/conf/ndssnmp/ndssnmp.cfg $NDSHOMEisthelocationwhereeDirectoryisinstalled.

Performdiskspacecheckusingndscheck -D --config-file conf_file_path CreateanemptyfileupgradeDIBundertheDIBlocationofeachserverinstance. Thelistofinstancescanbeobtainedusingthendsmanageutility.

rpm -Uvh <rpm name>

novell-NOVLsubag-8.8.61.i586.rpm novell-NDSslp-8.8.21.i386.rpm nici-2.7.0-0.01.i386.rpm novell-NDSslp-8.81.i386.rpm

NOVLsubag.pkg NOVLniu0.pkg NDSslp.pkg

NDS.NOVLsubag.8.8.6.0 NOVLniu0.2.7.6.0 NDS.NDSslp.8.8.2.0

Installing or Upgrading Novell eDirectory on Linux

Upgrading Multiple Instances

Root User has Multiple Instances

Non Root User's Instances

Disk Space Check on Upgrading to eDirectory 8.8 SP7

Novell eDirectory 8.8 SP7 Installation Guide

Using SLP with eDirectory

Formoreinformation,refertoAppendix C,ConfiguringOpenSLPforeDirectory,onpage 157. Similarly,whenyouuninstalltheSLPpackage,youneedtostopSLPmanually,asfollows:

Ifyoudontwantto(orcannot)useSLP,youcanusetheflatfilehosts.ndstoresolvetreenamesto serverreferrals.Thehosts.ndsfilecanbeusedtoavoidSLPmulticastdelayswhenSLPDAisnot presentinthenetwork.

Tree/ServerName:Treenamesendwithatrailingdot(.). InternetAddress:ThiscanbeaDNSnameorIPaddress. ServerPort:Optional,appendedwithacolon(:)totheInternetaddress. LocalserverneednothaveanentryinthisfileunlessitislisteningonnondefaultNCPport. Thesyntaxfollowedinthehosts.ndsfileisasfollows:

Installing or Upgrading Novell eDirectory on Linux

Seethehosts.ndsmanpageformoredetails. IfyoudecidetouseSLPtoresolvethetreenametodetermineiftheeDirectorytreeisadvertised, aftereDirectoryandSLPareinstalled,enterthefollowing: